News

Java Exploit Added to BlackHole Toolkit

• By John K. Waters
• July 10, 2012

A well-known hacking tool aimed at Java vulnerabilities appears to have gotten an upgrade designed to exploit a newly-patched security flaw addressed in the Java SE 6 Update 33 and Java SE 7 Update 5. The BlackHole exploit pack, a Java-focused framework that injects malware into PCs from malicious or legitimate Web sites that have been compromised, is expected to target those vulnerabilities, the patches for which were issued in June.

Security blogger Brian Krebs reported the exploit last week on his "KrebsOnSecurity" blog. BlackHole, he explained, consists of a series of scripts designed to check for the presence of vulnerable plugins on the visitors' browsers.

"People visiting those sites with browsers running outdated versions of Flash or Quicktime or Java are going to have a very bad day," Krebs told ADTmag.

Krebs, a former Washington Post investigative reporter, contacted the creator of BlackHole via instant messaging and was told that the new Java attack would be rolled into a software update that would be available on July 8 to all paying and licensed users of BlackHole.

"What I tell people is, regardless of which operating system you use, if you have Java installed, update it, neuter it, or get rid of it as soon as possible," Krebs said. "Java requires constant patching, and it's kind of a favorite target of attackers these days."

According to SophosLabs' Fraser Howard, the notorious exploit kit has been around since late 2010 and is Russian in origin. In his paper, "Exploring the BlackHole Exploit Kit," Howard explains that the kit silently loads malicious code from the exploit site. "This technique has been used aggressively by BlackHole, with hundreds of thousands of legitimate sites compromised," he wrote.

Sophos reports that BlackHole attacks accounted for 31 percent of Web attacks detected by the company's security software in the second half of 2011.

Users of exploit kits actually thrive on patch announcements, says application security expert and author Gary McGraw, because in practice, when a patch is released, only a few people who have the software end up applying it.

"Patches are a software exploiter's roadmap," McGraw told ADTmag in an earlier interview. "If you look at the data about what happens when patches are released, you'll see that right after [they're announced], script kiddie tools come out that are targeting the unpatched versions of the software that are still out there. The patch announcement shows you exactly where the problem is and what its nature is. It's like a big, red sign over the hole."