Java and Ruby on Rails vulnerabilities uncovered
Serious security flaws found in two widely used technologies
Security researchers are warning of vulnerabilities in two widely used technologies, namely Java and Ruby on Rails.
Trend Micro said that a zero day vulnerability has been discovered in Java, meaning that the popular technology is vulnerable to attack with no patch available at present.
The vulnerability under active attack is being targeted from hacker tools like the Black Hole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK) that distribute malware, most notably ransomware like the Reveton variants.
The US Department of Homeland Security is recommending that users switch off Java until a fix is released, although Trend says this may not be a realistic option and instead suggests using Java security controls to keep Java on the system but disable it in the browser.
Two critical vulnerabilities have also been detected in the Ruby on Rails web application framework, which Trend describes as "serious".
The vulnerabilities are not under active attack at this time, and patches are available, but the security company noted that exploit code has been released in a module for the Metasploit framework.
Trend also warned that the Java and Ruby on Rails vulnerabilities could be utilised in a combined exploit, attacking webservers using the Ruby on Rails vulnerability and then placing attack code on the compromised server that targets the Java vulnerability. the scenario could work well for a ‘watering hole' attack, that target only specific geographic regions or even only specific netblocks.