A Java vulnerability seemingly first discovered by independent French malware researcher has been confirmed by the US Government.
A statement from the US Computer Emergency Readiness Team (CERT) at the Department of Homeland Security (DHS) confirms a zero-day vulnerability in Java has been discovered and is already being exploited. The agency recommends disabling the Java plug-in on any PC until a patch can be found.
(The ESET Knowledgebase has advice on how to handle this vulnerability.)
The advisory sent out by the agency states that the vulnerability could allow a remote attacker to execute malicious code on PCs running Java 7, Update 10. The vulnerability, it says, is being attacked in the wild and already reported to be incorporated into exploit kits which could drive users to open a “specially crafted” malicious HTML document.
Reports on the Internet credit French researcher Kafeine for discovering the vulnerability and posting details on his blog site. In a post on the “Malware don’t need Coffee website Kafeine starkly warns that, “Hundreds of thousands of hits daily where I found it. This could be a mayhem. I think it’s better to make some noise about it”. The Department of Homeland Security’s reaction suggests he was correct.