[sf-lug] Java Exploit code found

[Bobbie Sellers]

Hi LUGgers ,
     A Norwegian SysAdm noted this on another mailing
list.  I have seen nothing about it here as far as I can remember
  so am passing it on.

An analysis of exploit code found shortly after the first Java flaw was
discovered Sunday revealed the second vulnerability. The code has been
tied to attackers in China.

"The beauty of this bug class is that it provides 100% reliability and
is multiplatform," Esteban Guillardoy, a developer at Immunity, said
Tuesday in announcing the discovery of the second bug. "Hence this will
shortly become the penetration test Swiss knife for the next couple of
years."

Users of Java, which is installed in billions of devices worldwide, are
notorious for not staying up to date with patches. Rapid7 estimates that
65% of the installations today are unpatched. However, this time around,
people with the latest version of Java were the ones most open to attack.

The bugs are in Java 7 and affect Windows, Mac OS X and Linux operating
systems running a Web browser with a Java plugin enabled. The flaws were
introduced with the release the platform in July 28, 2011, Guillardoy
said in his analysis.

Java steward Oracle has not released a fix for either vulnerability.

Researchers are advising computer owners to disable Java in all
browsers. "That would be the only solution, right now," said Tod
Beardsley, a bug testing engineering manager for Rapid7.

<http://www.csoonline.com/article/714998/second-java-zero-day-found-time-to-disable-it-say-experts>

     bliss