Java Runtime Environment = Perpetual Vulnerability Machine Posted by Sean @ 11:49 GMT
the perpetual vulnerability machine that is Oracle's Java Runtime Environment (JRE) has yet another highly exploitable vulnerability (CVE-2012-4681). And it's being commoditized at this very moment and will very soon find its way into popular exploit kits such as Blackhole.
Then, if you happen to have Java (JRE) installed, and have the browser plugin(s) enabled
you're at risk of a drive-by download. Based on the details we've examined thus far, all browsers can be exploited (though Chrome seems to be a bit of an open question).
The malware that is currently exploiting the vulnerability
The scariest part about all of this is that the next scheduled Oracle patch release is October 16. As Oracle has a policy of not issuing out-of-band updates, this means nearly two months of time where attackers can exploit this without root mitigation by the vendor. In the interim, security researcher Michael Schierl has released an unofficial patch, which is for now only available by request.
Gladiator Security Forum