Java zero-day exploit goes mainstream, 100+ sites serve malware

Blackhole exploit toolkit adds attack code that leverages unpatched bugs

1 2 Page 2
Page 2 of 2

Firefox developers are also ready to issue a kill order for the vulnerable Java 7 plug-in, according to a discussion on its Bugzilla code change and bug-fixing database.

Mozilla has the ability to add extensions or plug-ins to the Firefox add-on blocklist if they cause significant security or performance issues. Firefox automatically queries the blocklist and notifies users before disabling the targeted add-ons.

"Oracle is unlikely to patch this ahead of their scheduled October update and that's plenty of time for evil-doers to profit if we don't block until then," said Daniel Veditz, a Firefox security engineer, on Bugzilla.

Oracle is scheduled to release its next Java security update Oct. 12.

Although the current exploits -- and Blackhole -- target only Windows PCs, some machines running OS X will also be vulnerable to attacks if hackers integrate the Java zero-days in Mac-specific malware.

Apple stopped bundling Java with OS X starting with 2011's Lion; this year's Mountain Lion also omits Java. Those users, however, may still have Java 7 installed. When a browser encounters a Java applet, OS X asks the user for permission to download the Oracle software.

People running the older Snow Leopard (2009) and Leopard (2007) are apparently not at risk, since Java 7 requires the more recent Lion and Mountain Lion. The unpatched vulnerabilities are present only in Java 7.

While more than half of all Macs were running Lion or Mountain Lion as of July 31, statistics on OS X Java 7 installations were unavailable.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is

See more by Gregg Keizer on


Copyright © 2012 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon