NEWS FROM THE LAB - Tuesday, August 28, 2012

Java Runtime Environment = Perpetual Vulnerability Machine Posted by Sean @ 11:49 GMT

Well folks… the perpetual vulnerability machine that is Oracle's Java Runtime Environment (JRE) has yet another highly exploitable vulnerability (CVE-2012-4681). And it's being commoditized at this very moment and will very soon find its way into popular exploit kits such as Blackhole.

Then, if you happen to have Java (JRE) installed, and have the browser plugin(s) enabled… you're at risk of a drive-by download. Based on the details we've examined thus far, all browsers can be exploited (though Chrome seems to be a bit of an open question).

No Java (JRE)

And because Java (JRE) is cross-platform, this potentially opens a door to non-Windows attacks… if the attacker has an appropriately configured payload to drop.

Uninstall Java (JRE) if you don't need (or use) it. If you do need (and want) it, then at least disable the browser plugin(s) when its not in use. You could also consider installing an extra browser exclusively for Java based sites.

How you mitigate this seemly constant vulnerability? Tell us in this poll: