US-CERT Warns Of Possible Java Hacking Exploit

US Computer Emergency Readiness Team (US-CERT) said Thursday that internet users should consider disabling Java in their browsers due to an exploit that can allow remote attackers to hack a vulnerable system.

Security experts reported that cyber-criminals have been utilizing a zero-day vulnerability in Java to attack computer systems. Attackers stealthily install malware on the computers of users who visit compromised websites, according to Computer World. The US-CERT security alert states the agency is “unaware of a practical solution to this problem.”

US-CERT recommends that you disable Java in your browser to prevent the hackers from accessing your system. The weakness can allow an untrusted Java applet to escalate its privileges, ignoring security protocol. US-CERT said Oracle Java 7 update 10 and earlier are the most vulnerable.

US-CERT added:

“This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available.”

Info World says Bogdan Botezatu, a senior e-threat analyst at Bitdefender, stated in an email:

“We can confirm that this is a new vulnerability. We reproduced the exploitation mechanism on Java 1.7 Update 9 and Update 10. Other versions may be vulnerable as well, we’re currently analyzing whether other older updates are vulnerable.”

Two spokeswomen for Oracle, Java‘s distributer, weren’t available for comment.

Botezatu said:

“I think that Oracle will not issue an out-of-band patch again without thoroughly investigating the full extent of the damage and ensuring the quality of the patch. The last out-of-band patch for Java that was released in August actually opened the door for a similar exploitation technique on Java versions that were not vulnerable before the exploit. I believe this was an important lesson that might delay the release of a fix.”

In the end it should be established that if it can be built, it can be exploited.