Java continues to ravage everything, as two more "zero-day" exploits are making the rounds just a few days after the last zero-day vulnerability got a patch.
Researchers just uncovered more security threats in Java, and attackers are currently exploiting vulnerabilities in the wild.
According to Kaspersky, one of the vulnerabilities is a recent exploit of the latest runtime's attempts to install a McRAT executable file by overwriting memory in the JVM to trigger that executable to run.
Once users install the executable file, the McRAT malware will try to contact command and control (C&C) servers and copy itself into dll files in Windows systems.
While this malware is specifically for Windows, Intego describes a second Trojan disguised as a Java executable called "Minecraft Hack Kit," which in fact steals Minecraft passwords. The kit masks as a tool to help Minecraft users perform moderator tasks such as banning or kicking other users in the game.
Instead of the alleged "Minecraft Hack Kit," the program will actually install three new applets and a Launch Agent script that keeps them constantly running in the background. In turn, these secondary payload programs are designed to steal Minecraft credentials and send them to various Hotmail accounts.
The new threats are not of utmost severity, and the Minecraft malware is specific to Minecraft players who have Java installed. Nonetheless, they do add to an explosion of Java zero-day vulnerabilities exploited in the wild over the last two months. Java has been a popular attack target for a long time and it never seems to end. A zero-day vulnerability pops up and the company issues a patch only to have other zero-days surfacing in no time.
Oracle is well-known for its delay in releasing patches, but in the past year it had no choice but to release several emergency updates because the bugs were serious. The newly-found bugs will likely prompt yet another emergency patch.
The best thing according to several reports is to disable Java altogether and get off this roller coaster of bugs and patches that never seems to stop. Those who really need Java, meanwhile, can keep it in a secondary browser and make sure to always keep it up to date.
most read
related stories
more stories from OS / Software
Microsoft has reportedly started talks with HTC to add its Windows OS to the phone maker's Android smartphones and HTC is apparently considering to make a Windows Phone/Android dual-booting smartphone.
ernest hamiltonA bug in Chrome for iOS 7 has caused Google's mobile browser to leak private searches made in 'Incognito' mode.
ernest hamiltonHTC has announced that Sprint has already started to roll out the Android 4.3 update to the HTC One, AT&T and T-Mobile will follow in mid-October, while Verizon will release it by the end of the month.
ernest hamiltonThe new Windows 8.1 has gone up for pre-order on the Microsoft Store, ahead of the official launch on Oct. 18.
ernest hamiltonApple has acknowledged the iOS 7 iMessage issue and promised to provide a fix in an upcoming software update.
ernest hamiltonSamsung Canada and French carrier SFR have confirmed the Android 4.3 Jelly Bean rollout schedule for the Samsung Galaxy S4, Galaxy S3 and Galaxy Note 2.
ernest hamiltonThe unlocked, international HTC One is getting Android 4.3 Jelly Bean now, but the U.S. and Canadian versions will 'slightly miss' the end-September timeframe.
ernest hamiltonThe Samsung Galaxy S4, Galaxy S3 and Galaxy Note 2 are reportedly slated to get Android 4.3 Jelly Bean in the fourth quarter, by year-end.
ernest hamilton