It's a race against the clock as wily hackers hunt for machines made vulnerable by the latest Java patch, a vulnerability that could, if exploited, allow a hacker to do everything a user can do on their machine, if that user's computer is compromised.
The so-called "0-Day Exploit" essentially uses the Java vulnerability to gain access to a user's machine after a user visits a compromised web site. Once on the site, a system is forced to download and run a script (some type of malware or keylogger), allowing hackers free access to the infected computer.
This is not one that allows Mac users to crow about the superiority of their devices: Investigations into the exploit have shown that Linux and Mac OS X are just as vulnerable as PC users if hackers run the right script. Opera and Safari browsers are just as susceptible to the exploit as Firefox, Chrome, Internet Explorer and other browsers.
You can go to http://www.isjavaexploitable.com/ to see if Java is enabled in your browser. If you are running Java, Krebs on Security provides directions on how to disable it on your browser. I run Google Chrome and disabling Java is a matter of a few clicks. Unfortunately, Internet Explorer users are not so lucky and there are a bunch of hoops to jump through in order to disable Java.
More follows...
According to the FireEye Malware Intelligence Lab:
Initial exploit is hosted on a domain named ok.XXX4.net. Currently this domain is resolving to an IP address in China. Attacker web site is fully functional at the time of writing this article i.e., on August 26, 2012.
A successful exploit attempt can result in a dropper (Dropper.MsPMs) getting installed on infected systems. The dropper executable is located on the same server.
Dropper.MsPMs further talks to its own CnC domain hello.icon.pk which is currently resolving to an IP address 223.25.233.244 located in Singapore.
It's just a matter of time that a POC will be released and other bad guys will get hold of this exploit as well. It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit. Our investigation is not over yet; more details will be shared on a periodic basis.
In fact, Oracle runs a strict three-times-a-year update schedule and there are no indications that the company will diverge from its standard updating protocol. Thus, it looks as though we're stuck with this until October 16, the next scheduled Java update.
I'm taking this seriously -- the news isn't from some bullshit email forwarded from my mom or crackpot friend. The news is out there on reputable tech sites.
Needless to say, I've disabled Java on Chrome...
(Cross posted on The Firebird Suite where I blog about music, parenting, politics and not loving Phoenix)
9:05 AM PT: My first comment accused me of linking to a malware site -- I figured that would happen. All the links are to legit news and security sites where I first read about this.
Anyway, I'm not that devious... I'm a writer not a hacker.
If you don't want to click through the links I provided, Google '0-Day + Java + exploit' to get your own workaround.
9:23 AM PT: Removed the offending link, it was somehow hyperlinked when I blockquoted text from the FireEye site. Thanks to everyone who brought that to my attention!