CYBEREYE

Zero-day Java exploit shows how fast hackers have become

A recent zero-day exploit for Java (since addressed by an out-of-cycle update from Oracle, although the patch apparently has a flaw of its own),  got a lot of attention and generated calls for users to disable or remove Java. Stephen Cobb, security evangelist at ESET, called this “an alternative to keeping up with the patching process.”

But what really got his attention was not the threat to (or from) Java, but the growing efficiency of the malware developers.

“The interesting thing to me is the speed with which an exploit for the vulnerability has been fielded,” he said. “It illustrates the industrialization of malware.”


Related stories:

Time to give up on Java?

Oracle issues patch for Java flaws; attacks tied to Nitro gang


Developers of malicious code are becoming faster, better and more efficient, he said. They are employing a division of labor to take advantage of specialized skill sets and leveraging emerging standards to improve interoperability and ease the job of assembling exploits and tool kits. The result is increased availability of tools for delivering attacks, quietly siphoning off intellectual property and sensitive data, and doing reconnaissance on systems that control our critical infrastructure.

The development isn’t new, and Cobb is not the first to notice it. “It’s been coming for a while,” he said.

It is the result of introduction of the profit motive into hacking. Once the domain of glory-seeking coders or script-kiddies with axes to grind, criminals now are making big bucks from attacks, and nation states apparently are willing to invest money to gain access to tools for espionage and sabotage.

The end result is that the growing ranks of IT security professionals are now being pitted against increasingly professional adversaries. But there still remains at least one advantage for the good guys. Cybersecurity is becoming part of college curriculums, but to date I am not aware of any college or university offering a degree program in malicious coding and system penetration.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Wed, Sep 5, 2012 Steve Hathaway

You mentioned that there is no current college curriculum for hacking and malware manufacturing. The information is already readily available. Hackers can easily research the upcoming threats and find open security holes by reading the XML standards documents. Any XML markup that controls software engines can often be made to abuse those engines. XML implementations currently do a poor job of validating URL content. Thus URL spoofing is often easy to perform. Shall I say more? The ubiquitous postscript language can be a security threat on many postscript interpreters - usually associated with laser printers. The underlying computer can be controlled by sending specially crafted documents - treated as postscript programs. PDF documents are merely a fundamental modification of the postscript programming language. Automated tools can be readily created to exercise the threats posed by standards loopholes, and preparing seemingly innocent documents that cause peripheral harm.

Tue, Sep 4, 2012

Because of the speed of hackers and the current attack surface, we need to think differently about device security design and counter measures. For instance, there should be no permissions to the operating system to prevent malicious executables and no persistent malware should not be allowed to exist on the machine. Browsers with proven, advanced sandboxing should be the norm.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above