Expert Finds Java 1.7 Zero-Day on High-Profile Website

[Nytro]

[h=1]Expert Finds Java 1.7 Zero-Day on High-Profile Website[/h]

January 10th, 2013, 14:29 GMT · By Eduard Kovacs

The security expert known as Kafeine, the curator of the Malware Don’t Need Coffee website, has come across a new Java zero-day.

The vulnerability affects the latest Java 1.7 and it has been found on a website that allegedly records hundreds of thousands of hits each day.

Experts from AlienVault have analyzed the exploit and they've shown that a malicious Java applet can be used to execute code (in their example, the Calculator application from Windows).

“The Java file is highly obfuscated but based on the quick analysis we did the exploit is probably bypassing certain security checks tricking the permissions of certain Java classes as we saw in CVE-2012-4681,” AlienVault’s Jaime Blasco explained.

Researchers from Bitdefender are also analyzing the zero-day which, they say, has been integrated into the recently developed Cool exploit kit.

While more details of the vulnerability come to light, experts advise users to disable Java and avoid clicking on suspicious links.

Sursa: Expert Finds Java 1.7 Zero-Day on High-Profile Website - Softpedia