When compared to last year’s storm of Java security scares and general FUD about the porousness of the platform, 2015 has been relatively calm on this front. But that doesn’t mean there aren’t nasties still at large – recently, InfoQ reports, for the first time in two years, a Java Zero Day exploit has been unearthed.
The term “Zero Day exploit” relates to security holes unknown to vendors. Security specialists Trend Micro, who brought the new Java vulnerability to light, write that they are a persistent feature of targeted attacks. The exploit in question – CVE-2015-2590 – targets sandboxed Java Web Start applications and Java applets. For this reason, if you’re not using Java to navigate to websites with these kinds of applications, you don’t need to worry.
CVE-2015-2590 was discovered as part of Trend Micro’s ongoing investigation and monitoring initiative of a targeted attack campaign, dubbed “Operation Pawn Storm.” By chance, the team uncovered some dody looking URLs that hosted the newly discovered zero-day exploit in Java.
These URLs turned out to be similar to those seen in the attack launched by the threat actors behind Pawn Storm, which aimed to hit strategic international targets including APEC, NATO and the White House back in April, although it’s thought that these URLs weren’t hosting the Java exploit at the time.
It’s believed that CVE-2015-2590 affects the latest version of Java (220.127.116.11) and, unlike more recent Java misadventures, this hole isn’t thought to affect older versions of the platform. Oracle issued a fix as part of last month’s quarterly Critical Patch Update on July 14th. Given that the exploit impact varies depending on the user having administrator privileges, those using systems like Windows XP are at a greater risk. If you haven’t brought yourself up to date already, we’d recommend downloading the CPU now.