InfoSec Security Alert: Oracle Java 1.7

BACKGROUND:

On January 10, 2013, security researchers reported an unpatched vulnerability in Oracle Java 1.7u10.

Security professionals comment that attack code that exploits the vulnerability is being “massively exploited in the wild.” Miscreants use such exploits to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting website visitors.

IMPACT:

Browsing the web with a vulnerable version of Java installed and enabled means that simply visiting a website is enough for an attacker to compromise your computer. This is known as a “drive-by download” [1].

While “safe browsing” to only trusted websites may limit your exposure to drive-by downloads, it does not address the underlying vulnerability and prevent exploitation. Please see “Recommendations” below for further steps that must be taken.

The malicious software installed through these attacks may collect usernames and passwords used on the compromised computer, including credentials for sensitive websites, bank accounts, email etc.

PLATFORMS AFFECTED:

All versions of Oracle Java 7 (aka 1.7) from the initial release up through update 10 are vulnerable.

RECOMMENDATIONS:

  • If you are not using any programs that require Java, remove it from your system altogether.  Java is one of the most heavily exploited platforms in the world today due to its almost ubiquitous presence.
  • If you have to have Java for a specific program, but don’t need it for the web pages you visit, disable Java for use on your browsers. (Links for how to do this are below.)  It is safest to allow use of Java browser plug-ins on a case-by-case basis when prompted for permission by trusted programs.
  • If you can’t do that, use one browser with Java enabled only for trusted web sites (Blackboard/Cisco AnyConnect/Host On Demand) and use another browser with java disabled for the rest of your browsing needs.
  • If you have 1.7x installed, a new patch is available that partially fixes this most recent vulnerability see reference 2 below. There are however more vulnerabilities not yet patched so we recommend you discontinue using Java where ever possible.

How to disable Java…

…in Safari: http://support.apple.com/kb/HT5241

…in IE: http://nakedsecurity.sophos.com/how-to-disable-java-internet-explorer/

…in FireFox: http://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets

(For Firefox on Mac OS X, it is like Windows XP (Tools > Add-ons))

…in Chrome:  While in Chrome, enter this URL:  chrome://plugins/  then click “Disable” under Java.

References:

[1] http://en.wikipedia.org/wiki/Drive-by_download

[2] http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

[3] http://nakedsecurity.sophos.com/2013/01/13/oracle-releases-cve-2013-0422-patch-for-java/

[4] https://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/