When security researchers discovered a zero-day exploit in the Java Runtime Environment in December, it took less than a month for the exploit to appear in multiple crimeware kits. Even following the recent introduction of a patch, attackers are looking for ways to take advantage of users, and an unrelated malware strain disguised as the update has surfaced, eWEEK reported. The incident highlights the increasingly complex landscape software developers are working in as they struggle to keep programs secure.
The original Java vulnerability allowed attackers to bypass the software’s sandbox and run arbitrary code. There was no way to mitigate it short of disabling Java in browsers, which security experts advised users to do at the time. The current malware strain does not take advantage of this vulnerability, but is rather a phishing attack disguised as the update. However, its appearance demonstrates the multivariate pressures created by a vulnerability that extend beyond the race to patch it as quickly as possible, Kevin Haley, director of Symantec Security Response, told eWEEK.
“There’s always been that when these zero day vulnerabilities become public,” he said. “It’s in the public domain, the bad guys all want to take advantage of it. There’s a race between patches and exploits.”
Haley added that the growing black market for software security exploits is creating stronger incentives for hackers to find ways to take advantage of vulnerabilities. As the rewards for finding attack vectors increase, the speed at which exploits appear in the wild is increasing.
“You don’t have that lag time that there used to be before people start exploiting these vulnerabilities,” Haley told eWEEK.
As the rush to pounce on vulnerability announcements in any way possible mounts, vendors can fight back by taking steps to reduce the likelihood of a zero-day flaw appearing in their software in the first place. By using tools such as source code analysis, developers can make programs safer and preemptively combat the varied challenges a vulnerability creates.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.