PC users vulnerable to Java attack

August 29, 2012

Hackers have allegedly been given an open invitation to gain access to PCs throughout the world after cybersecurity researchers discovered that the latest version of Java is flawed.

According to Reuters, the free software from Oracle, which the company claims is installed on 97 percent of enterprise desktops, opens machines to attacks from hackers. Numerous web security firms are telling users to disable Java, as there seems to be no way to prevent malware from handing over control of the machine to cybercriminals, who can mimic the actions of victims without being detected.

The malware works in two stages. First, it exploits a newly discovered coding loophole in the latest version of Java, the computer language that allows programmers and developers to write one set of code for use on a variety of web browsers. Once in, it installs a trojan called "Poison Ivy," which can allow the hacker to gain control if a user visits a website that has already been compromised.

"If exploited, the attacker will be able to perform any action the victim can perform on the victim's machine," warned Tod Beardsley, an engineering manager with Rapid7's Metasploit division.

PC users vulnerable
This latest attack on free-to-install software comes at a time when a number of high-profile companies have admitted that their data loss prevention protocols are not as secure as once believed. PC users have always been vulnerable to malware and, despite a concerted effort by the cybersecurity industry to warn users of the perils of downloading software from suspicious sites, corporations such as Oracle have always appeared to be more trustworthy.

Web security firms currently recommend that Java not be enabled for universal use and suggest that using a secondary browser, one that doesn't have Java installed, may be the best way to reduce vulnerability. FireEye, the security firm that, according to Forbes, spotted the Java problem, believes that until Oracle patches its software, something that the company does every two to three months, PC users will be open to attack.

"It’s just a matter of time that a [proof-of-concept] will be released and other bad guys will get hold of this exploit as well," commented FireEye’s researchers, on the company blog. "It will be interesting to see when Oracle plans for a patch. Until then, most of the Java users are at the mercy of this exploit."

-McAfee Cloud Security