Zero Day Java Vulnerability Allows McRat Trojan Infections

[Jack]

A newly discovered zero-day vulnerability in the most recent versions of Java 6 and Java 7 is being actively exploited by attackers to install malicious software on vulnerable PCs.

"We detected a brand new Java zero-day vulnerability that was used to attack multiple customers," FireEye security researchers Darien Kindlund and Yichong Lin said in a blog posted Thursday. "Specifically, we observed successful exploitation against browsers that have Java v1.6 update 41 and Java v1.7 update 15 installed," they said, referring to the two most recently released versions of Java 6 and Java 7.

The discovery of the new bug (CVE-2013-1493) makes for the third Java zero-day vulnerability to have been reported to Oracle this week.

So far, the FireEye researchers have publicly detailed the new vulnerability only in broad terms: "Not like other popular Java vulnerabilities in which [the] security manager can be disabled easily, this vulnerability leads to [an] arbitrary memory read and write in [the] JVM [Java virtual machine] process," they said.

Read more: http://www.informationweek.com/security/vulnerabilities/zero-day-java-vulnerability-allows-mcrat/240149816

 

[Moose]

Thanks for sharing!

 

[House_maniac]

thanks for the share jack

 

[softwareFREEk]

Oracle has released an emergency Java patch addressing the latest in-the-wild exploit targeting the software. The company suggests users apply this update "as soon as possible" due to "the severity of these vulnerabilities." The full patch description and download is available through Oracle's Technology Network (you can also get the patch through the software's auto-update).

This particular vulnerability is being exploited to install a remote-access trojan dubbed McRat. The attacks targeted Java versions 1.6 Update 41 and 1.7 Update 15, which are the latest available releases of the widely used software. Security Editor Dan Goodin reported on the issue just three days ago, as attacks were being triggered when people with a vulnerable Java version visited a booby-trapped website.

It almost goes without saying—Java security has left something to be desired lately. High profile companies such as Facebook, Apple, and Twitter all fell at the hands of Java recently. These businesses disclosed that their computers were compromised by exploits later linked to a developer website hacked into a platform for Java exploits. Here at Ars, you can peruse nine separate stories involving Java exploits within the last month alone.

Read here: http://arstechnica.com/security/2013/03/oracle-releases-new-java-patch-to-address-this-weeks-mcrat-problem/