Remember when we told you that you should disable Java in your browser? That even the Department of Homeland Security considers the programming language a liability? That black hat hackers are selling “exploits” (vulnerabilities in the program that can be used to hack a system) for $5,000 each?
Yeah. We weren’t kidding. And neither are those who use such exploits to screw you to the wall. Another 0-day exploit (a previously unknown vulnerability) has been discovered.
“Multiple customers” were attacked via this vulnerability in the latest version of Java. Alex Lanstein, a senior security researcher at FireEye, told Krebs that the culprits are likely the same hackers who hit security firm Bit9 last month, also using a Java exploit.
“Same malware, same [command and control server], I’d have to say it’s the same group that hit Bit9,” Lanstein told Krebs.
The last five Java vulnerabilities alone have been used to hack Apple, Twitter, Facebook and 37 other companies. Java was also the attack vector in a massive cyberespionage effort called Operation Red October, exposed by security researchers in January. Red October targeted computers in 69 countries, including the U.S., Iran, and the Russian Federation.
Java’s owner, Oracle, recently released a patch to fix those. Subsequently it released a fix for 50 more problems. But more and more seem to be found every week—security firm Kaspersky Labs estimates that, last year, Java was used in 50 percent of all cyberattacks involving software exploits.
And, as Krebs notes, the majority of users can get by just fine without Java running in their browsers. If you know you need Java for some reason, Krebs recommends running two browsers: a main browser with Java entirely disabled, and a second one that you only use to visit sites that require Java.
Here is a set of good visual instructions on how to disable Java.
Photo via Bigstock