A software security vulnerability fixed in Oracle’s most recent Java Critical Patch Update, which was released on April 16 and addressed 42 flaws, has already begun to appear in several popular exploit kits, according to researchers. The rapid addition of the flaw to cybercriminals’ portfolios underscores the challenge developers face when relying on patches to protect software following its release rather than securing applications ahead of time.
Security researchers at F-Secure first reported spotting the exploit for vulnerability CVE-2013-2423 in the wild in a blog post on April 21. Oracle gave the flaw a 4.3 CVSS rating, and it can only be exploited through untrusted Web Start applications and applets on client deployments. It was being exploited just one day after being added to the popular open source Metasploit framework, a tool used by penetration testers.
According to a blog post by an independent researcher known as Kafeine, the vulnerability has already been integrated into the Cool Exploit Kit and is being used to install Reveton, a ransomware application. Ransomware is a type of malware that locks infected machines and extorts victims for money.
“This wouldn’t be the first time when cybercriminals have taken Metasploit exploit modules and adapted them for use with their own malicious attack toolkits,” IDG News Service’s Lucian Constantin noted in an article recapping the exploit.
Consumers can protect themselves against the flaw by upgrading Java. However, the appearance of the flaw in exploit kits so shortly after being patched likely means that a large number of Java users are still vulnerable.
The incident demonstrates that once a vulnerability is public knowledge – even though it is being shared for security purposes by researchers and testers using legitimate tools – it can be quickly assimilated into attackers’ tool boxes. To provide better software security and ensure users are not, counterintuitively, exposed to new threats following a patch announcement, developers can use tools like static analysis software, which enables them to catch errors prior to release.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.