Researchers have uncovered yet another zero-day vulnerability in Java, and attackers are currently exploiting it in the wild.

The security flaw, if triggered, leads to arbitrary memory read-and-write in the Java Virtual Machine, Darien Kindlund and Yichong Lin, two researchers at FireEye, wrote on the FireEye Malware Intelligence Lab blog Thursday. If successful, the attack code downloads a McRAT dropper and information-stealing Trojan onto the victim's computer. It is a different type of flaw than some of the others we've seen recently.

FireEye said several of its customers saw the attack against browsers with Java enabled. The security flaws are in Java v.1.6 Update 41 and the latest Java v1.7 Update 15, which was just released Feb. 19, according to FireEye. The researchers have already disclosed the vulnerability to Oracle (CVE-2013-1493). No other information is currently available from Oracle.

More Zero-Days

FireEye researchers summed up the prevailing sentiment well in the post's title, “YAJ0: Yet Another Java 0-Day.” While Java has been a popular attack target for a long time, there seems to be an exploision of Java zero-days being exploited in the wild over the past two months. It's the same cat-and-mouse game we've seen with other companies. A zero-day is found, the company patches it, a new zero-day is found. Wash, rinse, and repeat.

Oracle, the company well-known for its reluctance to release patches out-of-schedule, has released several emergency updates in the past year because the bugs have been so serious. The company released a scheduled update Feb. 19, but it is likely this bug will spur yet another emergency patch.

Turn It Off, Or Limit It

Are you tired of the whole merry-go-round and want a way to jump off? Turn off Java in the browser. Disable the plugin. We show you how to disable Java. Are you one of the many, many, people who need Java for work and school purposes and can't turn off Java in the browser?

Here is what you can do. You disable Java in your default, primary browser. The browser you use the most should not have Java at all. And then you install the browser you don't use all that often—most people generally have more than one browser installed on their computers, anyway—and enable Java in that. The important thing here, though, is that you don't, never ever, absolutely never, use that browser to go to any site other than that handful of sites you need to run Java on. You need to use Blackboard? You fire up the Java-browser. You need to look up something that was mentioned during the Blackboard session? Instead of clicking, copy the link, fire-up your default browser, and paste it in.

It adds a lot of extra steps, and I can tell you that it is tremendously annoying. But I feel safer knowing that I am reducing my chances of getting hit with a watering hole attack. Think about all those mobile developers at Facebook, Twitter, Microsoft, and Apple. They visited a iOS developer Web site (probably a site they visited with regularity, considering their jobs) with browsers that had Java enabled, and were compromised.

If you are annoyed enough, you will do the next step, which is pressure the company to stop using Java. “There is no longer any reason for Websites to be using Java applets,” Chester Wisniewski, of Sophos, told me at the RSA Conference this week. You can pressure IT to start switching to a different product. As customers, you can tell the vendor to come up with a non-Java alternative, or when it comes time to renew the subscription or contract, you will cancel and go to a different product. Money talks.

Wisniewski said he didn't make the decision to recommend turning off Java lightly. He considered the ramifications carefully and came to the conclusion that at the moment, it was the safest thing to do.

Further Reading

Security Reviews