The vulnerability, identified as CVE-2013-2423, was one of the 42 security issues fixed in Java 7 Update 21 that was released by Oracle last week, on April 16. The company gave the flaw’s impact a 4.3 out of 10 rating using the Common Vulnerability Scoring System (CVSS) and added that “this vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets.”<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
The vulnerability, identified as CVE-2013-2423, was one of the 42 security issues fixed in Java 7 Update 21 that was released by Oracle last week, on April 16. The company gave the flaw’s impact a 4.3 out of 10 rating using the Common Vulnerability Scoring System (CVSS) and added that “this vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets.”<\/p>\n
An exploit for CVE-2013-2423 was integrated into a high-end Web attack toolkit known as Cool Exploit Kit and is used to install a piece of malware called Reveton, an independent malware researcher known online as Kafeine said Tuesday in a blog post.<\/p>\n
<\/p>\n
The vulnerability started being targeted by attackers one day after an exploit for the same flaw was added to the Metasploit framework, an open-source tool commonly used by penetration testers, the F-Secure researchers said.<\/p>\n
<\/p>\n
This wouldn’t be the first time when cybercriminals have taken Metasploit exploit modules and adapted them for use with their own malicious attack toolkits.<\/p>\n
<\/p>\n
Users who need Java on their computers and especially in their browsers are advised to upgrade their Java installations to the latest available version — Java 7 Update 21 — as soon as possible. This version also made changes to the security warnings displayed when websites attempt to load Web-based Java applications in order to better represent the risk associated with allowing different types of applets to execute.<\/p>\n
<\/p>\n
Browsers like Google Chrome and Mozilla Firefox also have a feature known as click-to-play that can be used to block plug-in-based content from executing without explicit consent.<\/p>\n
<\/p>\n