Exploit for recently patched Java flaw added to CrimeBoss exploit kit
Posted on 23 April 2013.
If you are still using Java, you insist on updating in manually and you haven't gotten around to installing the latest Critical Patch Update released a week ago, you are advised to do it now, as an exploit for one of the vulnerabilities it patched has been incorporated into a popular exploit kit and is being actively used in the wild.

The exploited flaw (CVE-2013-2423) affects only client deployments of Java (versions 7u17 and before), and allows remote attackers to execute malicious code without having to authenticate themselves in order to do it.

According to Timo Hirvonen, anti-malware analyst at F-Secure, the kit sporting the exploit is CrimeBoss, and the exploit has been partially copied from the source code of the Metasploit module that targets the flaw.

In fact, researchers reported that it took the kit's developer(s) only a day to fit the exploit it, and it has been spotted being used in the wild starting on Sunday, April 21.

In the meantime, Security Explorations CEO Adam Gowdiak reported to Oracle a new Java 0day affecting all versions of Java SE 7, which can be used to achieve a complete Java security sandbox bypass on a target system, but requires user interaction.









Spotlight

What can we learn from the top 10 biggest data breaches?

Posted on 21 August 2014.  |  Here's a list of the top 10 biggest data breaches of the last five years. It identifies the cause of each breach as well as the resulting financial and reputation damage suffered by each company.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //