A newly discovered zero-day vulnerability in the most recent versions of Java 6 and Java 7 is being actively exploited by attackers to install malicious software on vulnerable PCs.
"We detected a brand new Java zero-day vulnerability that was used to attack multiple customers," FireEye security researchers Darien Kindlund and Yichong Lin said in a blog posted Thursday. "Specifically, we observed successful exploitation against browsers that have Java v1.6 update 41 and Java v1.7 update 15 installed," they said, referring to the two most recently released versions of Java 6 and Java 7.
The discovery of the new bug (CVE-2013-1493) makes for the third Java zero-day vulnerability to have been reported to Oracle this week.
So far, the FireEye researchers have publicly detailed the new vulnerability only in broad terms: "Not like other popular Java vulnerabilities in which [the] security manager can be disabled easily, this vulnerability leads to [an] arbitrary memory read and write in [the] JVM [Java virtual machine] process," they said.
Read more:
http://www.informationweek.com/secu...day-java-vulnerability-allows-mcrat/240149816
