JAVA SECURITY ISSUE
Says fix is on the way
January 13, 2013
(MONROE, WA) -- One of the most widely read news stories of the past two months in the Sky valley Chronicle was the story about the security problem with the Java computer application that broke on Friday. The Chronicle was one of the first newspapers in the state to break the story.
Oracle on Saturday confirmed what is now known as the 0-day vulnerability discovered in Java 7. The company told the Reuters news service that “a fix will be available shortly.”
Earlier in the week the US Computer Emergency Readiness Team (US-CERT), part of the National Cyber Security Division of the Department of Homeland Security issued a warning about the Java application:
“Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.
The critical security hole, which allows attackers to execute malicious software on a victim’s machine, was quickly exploited in the wild and made available in common exploit kits. Later the same day, Apple stepped in to block Java 7 on OS X 10.6 and up to protect Mac users.
On Friday, we learned the 0-day code would not have worked if Oracle had properly addressed an old vulnerability, according to Security Explorations, the security firm responsible for identifying most of the latest Java vulnerabilities.
Back in late August 2012, the company informed Oracle about the insecure implementation of the Reflection API, and Oracle released a patch for it in October 2012, but the fix wasn’t a complete one.
Also on Friday, Mozilla added all recent versions of Java to its Firefox add-on blocklist. These include Java 7 Update 9, Java 7 Update 10, Java 6 Update 37, and Java 6 Update 38; older Java versions were already blocklisted due to other vulnerabilities.
Once Oracle releases Java 7 Update 11, Mac users and Firefox users will once again be able to use the plug-in. Unfortunately, since the company still hasn’t provided a date for when that will be, we recommend that regardless of what browser and operating system you’re using, you should uninstall Java if you don’t need it and disable it otherwise. If you absolutely must use it, do so in a secondary browser.”
How to disable the Java browser plug-ins and how to disable the main Java app in your Windows base PC can be found in our earlier story here