Java Runtime Environment = Perpetual Vulnerability Machine Posted by Sean @ 11:49 GMT
Well folks… the perpetual vulnerability machine that is Oracle's Java Runtime Environment (JRE) has yet another highly exploitable vulnerability (CVE-2012-4681). And it's being commoditized at this very moment and will very soon find its way into popular exploit kits such as Blackhole.
Then, if you happen to have Java (JRE) installed, and have the browser plugin(s) enabled… you're at risk of a drive-by download. Based on the details we've examined thus far, all browsers can be exploited (though Chrome seems to be a bit of an open question).
»
www.f-secure.com/weblog/archives···413.htmlThe malware that is currently exploiting the vulnerability
»
www.symantec.com/connect/blogs/n···012-4681The scariest part about all of this is that the next scheduled Oracle patch release is October 16. As Oracle has a policy of not issuing out-of-band updates, this means nearly two months of time where attackers can exploit this without root mitigation by the vendor. In the interim, security researcher Michael Schierl has released an unofficial patch, which is for now only available by request.
»
vrt-blog.snort.org/2012/08/cve-2···ava.html--
Gladiator Security Forum
»www.gladiator-antivirus.com/
