More than a billion users worldwide are exposed to the Java Zero-Day flaws recently disclosed on underground forums, which can be exploited to execute arbitrary code on usersâ€™ machines.
Oracleâ€™s platform is currently installed on 3 billion devices, but not all of them run the 7.1 version that is vulnerable to the exploit. The company patches Java every four months, and the next security update is scheduled on October 16.
Bitdefender Labs have already pleaded for the â€œthree billion reasons for which Java should get an official update, yesterday,â€ in the form of a small graphic novel that starts with the story of an unsuspecting browser luring users with downloadable freebies.
â€œNow, if this reads to you as an advertisement for Metasploit, you may be in the wrong business,â€ BD Labs security experts said. â€œIf on the other hand itâ€™s making you question the Java update policy and wondering if it may be time for an unofficial patching framework to match, you might want to drop us a line.â€
HotForSecurity wrote about the Java bug Metasploit and BlackHole exploits after spotting the news on the Rapid7 community. The exploitation method is being widely spread on the Internet, and has already been integrated in two of the worldâ€™s most popular frameworks: Metasploit, a white-hat tool, and Blackhole Exploit Pack, a malware toolkit renowned in the cyber-crook world.
Zero-day exploits are attacks that take advantage of previously unknown vulnerabilities in computer applications. Their name comes from the developersâ€™ lack of time for patching the vulnerabilities. Security specialists advise users to disable Java in their web browser or downgrade to an earlier version such as Java 1.6 that is not affected by the breach.