This warning is serious!
Last week it was announced that a zero-day flaw in Oracle’s Java programming language could make as many as 100 million computers connected to the Internet vulnerable to attack by cybercriminals..
The threat posed by the Java vulnerability was considered so serious that the U.S. Department of Homeland Security urged computer users to turn off Java on their machines.
Today an update was released so IF you really NEED to have JAVA running for some application to work you really should update it NOW!
However
Oracle promised a fix for the security vulnerability in its Java software on Saturday and keeping its word, the enterprise software giant released Java 7, Update 11 to address the massive security flaw on Sunday. However, experts opined that the emergency fix fails to provide 100 percent protection from hackers.
Read more at http://www.itechpost.com/articles/4923/20130114/oracle-releases-emergency-fix-java-software-flaw-security-threats-remain.htm#6gwdzSJyClAwLZ3b.99
Be safe….
Disable Java in All Browsers
Last month Oracle released a new Java version, Update 10, that includes a one-stop option for disabling Java in all browsers in the Java Control Panel. Open Control Panel and launch the Java applet. If you don’t see it, switch to Classic View (in XP) or small icons (in Vista or Windows 7). Click the Security tab. In previous versions this tab just allowed advanced users to manage Java-related certificates. It now displays a security-level slider and, more important, a single checkbox titled “Enable Java content in the browser.” Un-check this box, click OK, and you’re done.
Disable Java in One Browser
For security’s sake you really should be using the very latest Java version. If you’re not, or if you need to enable Java in some browsers but disable it in others, you can do that too.
Using Chrome? Enter chrome://plugins in the browser’s address bar. Scroll down to Java and click the link to disable it.
The process is similar in Opera: First, enter about:config in the address bar. Click the Java heading to expand that section, un-check the checkbox, and click the Save button.
In Safari, choose Preferences, choose Security, and deselect Enable Java.
The only way to disable Java in Internet Explorer is through the Java Control Panel. Launch it as described above, click the Advanced tab and expand the item titled Default Java for browsers. Un-check the boxes for Microsoft Internet Explorer. You may need to click the item and press spacebar in order to clear the checkmarks.
Firefox users can click the Firefox button at the top (or under Tools) choose Add-ons from the resulting menu. On the Plugins tab, click the Disable button next to “Java(TM) Platform.” You can also disable Java for all Mozilla family browsers by un-checking the Mozilla family box in the Java control panel.
What is this all about?
Vulnerability Note VU#625617
Java 7 fails to restrict access to privileged code
Vulnerability Note VU#625617
Java 7 fails to restrict access to privileged code
Original Release date: 10 Jan 2013 | Last revised: 12 Jan 2013
Overview
Java 7 Update 10 and earlier Java 7 versions contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems.The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle’s document states, “If there is a security manager already installed, this method first calls the security manager’s checkPermission method with a RuntimePermission("setSecurityManager") permission to ensure it’s safe to replace the existing security manager. This may result in throwing a SecurityException".By leveraging the a vulnerability in the Java Management Extensions (JMX) MBean components, unprivileged Java code can access restricted classes. By using that vulnerability in conjunction with a second vulnerability involving the Reflection API and the invokeWithArguments method of the MethodHandle class, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier Java 7 versions are affected. The invokeWithArguments method was introduced with Java 7.This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available. We have confirmed that Windows, OS X, and Linux platforms are affected. Other platforms that use Oracle Java 7 may also be affected. |
Impact
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability. |
Solution
We are currently unaware of a practical solution to this problem. Please consider the following workarounds: |
Disable Java in web browsersStarting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details. Note: Due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executing javacpl.exe manually. This file is likely to be found in C:\Program Files\Java\jre7\bin or C:\Program Files (x86)\Java\jre7\bin. Also note that we have encountered situations where Java will crash if it has been disabled in the web browser as described above and then subsequently re-enabled. Reinstalling Java appears to correct this situation. System administrators wishing to deploy Java 7 Update 10 or later with the “Enable Java content in the browser” feature disabled can invoke the Java installer with the WEB_JAVA=0 command-line option. More details are available in the Java documentation. |
Vendor Information (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
Oracle Corporation | Affected | 11 Jan 2013 | 12 Jan 2013 |
Sun Microsystems, Inc. | Affected | 11 Jan 2013 | 12 Jan 2013 |
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 9.5 | E:H/RL:W/RC:C |
Environmental | 9.5 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
- https://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/
- http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
- http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
- http://seclists.org/bugtraq/2013/Jan/48
- http://docs.oracle.com/javase/7/docs/api/java/lang/invoke/MethodHandle.html#invokeWithArguments%28java.util.List%29
- http://www.java.com/en/download/help/disable_browser.xml
Credit
Thanks to Kafeine for reporting this vulnerability.
This document was written by Will Dormann.
Other Information
- CVE IDs: CVE-2013-0422
- Date Public: 10 Jan 2013
- Date First Published: 10 Jan 2013
- Date Last Updated: 12 Jan 2013
- Document Revision: 49