Posted on Tuesday, August 28 2012 @ 19:44 CEST by Thomas De Maesschalck
A patch isn't available and the next scheduled update for Java is October 16th, 2012. Security firm Sophos notes that Oracle has a bad track record for releasing timely patches for Java exploits, but hopes that an out-of-cycle fix will arrive soon due to all the media attention this exploit is receiving.
Web users are advised to disable the Java plug-in, or if possible, to uninstall it. Alternatively, you can disable Java in your favorite browser and have an alternative browser available for the occasional site that requires Java.
Early reports suggested that Google Chrome was immune to the problem, but that appears to have been a bug in the attacker's code. The Metaploit project released proof of concept code that exploits the flaw on all browsers and operating systems (Windows, OS X, Linux).
Michael Schierl has performed a detailed analysis of the bugs and points out that it even disables the Java security manager.
Exploiting the vulnerability appears quite trivial and journalist Brian Krebs has already confirmed it will be added to the Blackhole Exploit kit.
This is very concerning as the Blackhole kit is the most commonly used exploit pack in use by criminals. Considering this is flaw is not patched and is not likely to be patched soon is a very dangerous situation.
