Java 0-Day: who’s brewing the coffee?

Further to Pierre-Marc's blog yesterday about in-the-wild exploitation of the Java Development Kit vulnerability publicised by Tavis Ormandy, David Kennedy has brought to our attention a comprehensive article on the same topic published yesterday by FireEye's Atif Mushtaq.  You may remember that Atif exchanged thoughts and info with us a while ago in relation to the Hexzone brouhaha about a year ago. HIs article on on the JDK issue is mandatory reading if you want to understand this issue, so I won't attempt to summarize it. However, I will quote part of his conclusion.

It's pretty obvious that the simplicity and reliability of this exploit will make it a lethal weapon for the bad guys in coming days.  Plus, the unavailability of any working patch is making the overall picture scarier.  I am pretty sure that in the coming days, this exploit will become part of underground exploit kits.  This means that even a kiddie with basic computer skills and bad intentions can start making money out of this.

He's right. While most attacks we've seen to date have had an amateur, script kiddy whiff about them, there's no reason they can't be incorporated into a more sophisticated attack. And while the release of JRE 6 Update 20 was initially heralded as a fix, there is some doubt as to whether it's a complete fix. Tavis's advisory at includes some mitigations, and you might want to check those out. Particularly good advice:

As always, if you do not require this feature, consider permanently disabling it in order to reduce attack surface.

A good general rule!

Other relevant links:

Tips of the hat to Dave Kennedy and Ken Bechtel for their input.

Research Fellow & Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled):
ESET Threatblog notifications on Twitter:;
ESET White Papers Page:

Securing Our eCity community initiative:

Also blogging at:

Author David Harley, ESET

  • PC.Tech

    Another "good general rule":
    Second in this "series":
    1. We have the Firefox v3.6.3, forced fix/release due to a "security specialist" participation in a CanSecWest "contest".
    2. Now the Java v1.6.0_20 forced fix/release due to another "security specialist" releasing his vulnerability findings so the hacks can exploit them for the rest of the world – again wasting the time and effort of millions of end users and those who support them.
    Are these people clueless/unaware of Responsible Disclosure?: –

Follow us

Copyright © 2017 ESET, All Rights Reserved.