Oracle just can’t catch a break these days, can they? As of March 4, a fully-updated Java running the latest patch has been exposed to a signature vulnerability, one which could potentially set the already strained Java security team back another week at the least.
Using credentials stolen from ClearResult Consulting, the applet has been able to build a backdoor on the test machine that researcher Eric Romang has been tracking since McRat took over the malicious code headlines. The applet itself is running on expired tires and the key has been revoked, but unless users specifically go through their revocation lists and know what they’re looking for, the program can be propped up within a matter of minutes after being accidentally downloaded.
In a statement released by Eric Maurice of Oracle, users have been encouraged to update as soon as possible, and to raise their Java security settings to “High” as the default method for dealing with all incoming and outgoing requests. He also made sure to assure those outside of Europe that they shouldn’t be too worried, as so far the crack has only been hosted from a German dictionary site that was infected with the “g01pack” exploit kit.
“In order to protect themselves, desktop users should only allow the execution of applets when they expect such applets and trust their origin,” Oracle advises.
There is some speculation that the app still needs to ask permission to get through to your PC. However if we’re to believe the original Twitter post which first alerted everyone to the flaw, that build of the exploit was running on a version of Java that has already been hotpatched as of late last night. Personally I recommend you uninstall Java completely until this all blows over, and make sure you remove it as a plugin in your browsers and disable it from automatically running in your settings.