New zero-day vulnerability in Java being widely exploited (Updated)

By on January 14, 2013, 1:54 AM

Update (1/13): Three days after a critical Java vulnarability was widely reported, Oracle has issued an update to shut down the potential exploit and secure browsers using Java. You can update to Java SE 7u11 to secure your PC (or disable Java altogether). The security hole made browsers vulnerable to remote exploits when visiting a malicious website. With this latest update Oracle claims it's reducing future risks by switching security settings to “high” by default, meaning that unsigned or self-signed applets won't be run without express user authorization.

Original story is below:

Yet another zero-day vulnerability in Java has reared its ugly head, and according to security researchers, early indications suggest it is already being 'widely exploited' by malicious sites.

A researcher going by the name @kafeine first spotted the exploit in action and noted it's being used by a number of sites to silently install malware in drive-by download attacks. According to reports, one particular group is even using the exploit to install ransomware on affected PCs.

Kafeine notified security firm AlienVault labs, which has independently verified that the exploit exists. What's more, it's already been added to a number of exploit toolkits such as Blackhole and Nuclear Pack, making it easy for criminals to deploy. The exploit is specific to Java 7 and there is no fix for it at the moment, although Oracle says it's working on it. There’s still no word on how long it's going to take.

Right now the only way to protect your machine against this exploit is disabling the Java browser plugin. Others, including US-CERT (United States Computer Emergency Readiness Team) have given the same advice, or recommended the more drastic measure of uninstalling Java entirely.




User Comments: 14

Got something to say? Post a comment
Guest said:

For the love of God...let Java die already! I've uninstalled it many months ago and have been happy with how much faster my browser works!

1 person liked this | Guest said:

Okay, we'll just call up java, tell them to let their platform die, although it runs so many different things, not just your web browser, like your phone for instance, no matter if it's iphone or android or anything else for that matter, chances are, it needs java in some form to run.

Java is pretty much the backbone of so many things we use in our day to day lives, which is why people exploit it and use it for their personal gain, it's not just for web browsing, it has other practical uses.

also, not to mention how many jobs would be lost at Oracle if they decided to stop using the platform, which is a great employer in my country.

So no, we can't just let java die, their existence does more for technology than you do.

1 person liked this |
Staff
Per Hansson Per Hansson, TS Server Guru, said:

Well letting Java die would be a bit over the top.

But as a platform in your browser I feel that just like Adobe's Flash Oracle's Java has run it's course.

I have several applications that require Java:

APC UPS monitoring software

LSI MegaRAID Storage Manager

Supermicro IPMIView

Obviously I can't live without these programs, and they control and or monitor hardware which costs allot of money. Simply getting rid of Java is not the solution here.

But you know what, I just uninstalled the Java runtime from my machine, and these programs work just fine anyway.

That's because they bundle Java in their installation directories, now that itself is a real security problem. (Do you ever think they care to upgrade the included Java, and how many Java versions are actually installed on my system, but that's for another discussion)

Since I uninstalled Java the attack vector is gone, the browser can no longer use Java and therefore in that view Java is no longer running on my machine.

But my programs that actually depend on Java still runs just fine, so I'm a happy camper

TomSEA TomSEA, TechSpot Chancellor, said:

That's some good info - thanks Per Hansson!

Gareis Gareis said:

Disabling Java plugin on Chrome:

[link]

Guest said:

Of note: Java and java script  (the latter used for web pages) are not the same thing. I'm not sure if the story makes that distinction. If you wish to uninstall Java, you can do it via the "add/remove program" function. Good night and good luck :)

Guest said:

This bug only affects Java 7 so you could simply uninstall Java 7 and install the latest update of Java 6 from https://www.java.com/en/download/manual_v6.jsp

I have to use Java 6 because one of my employer's software programs doesn't yet support Java 7.

Camikazi said:

This bug only affects Java 7 so you could simply uninstall Java 7 and install the latest update of Java 6 from https://www.java.com/en/download/manual_v6.jsp

I have to use Java 6 because one of my employer's software programs doesn't yet support Java 7.

I do believe that the last Zero Day bug found in Java affected Java 5, 6 and 7 and has not been fixed yet so you're not safe yet.

avoidz avoidz said:

With so many applications using Flash and Java in the tech world, I don't see either going away anytime soon. Despite all the villagers with pitchforks around here.

2 people like this |
Staff
Per Hansson Per Hansson, TS Server Guru, said:

Continuing my post above apparently Java now has a feature where you in their control panel can disable browser support.

Very good addition!

So if you like me depend on allot of programs that require Java, but unlike my examples they don't bundle Java in their installation directories. Then this new button is for you [link]

Source and further reading: [link]

[link]

Darth Shiv Darth Shiv said:

Continuing my post above apparently Java now has a feature where you in their control panel can disable browser support.

Very good addition!

Yes this is the absolute best case for me going forward... most likely scenario is complete java removal unless some 3rd party software requires it and even then, will be targeting hardware that does not have java based support software if possible.

learninmypc learninmypc said:

Disabling Java plugin on Chrome:

[link]

I did exactly that which is why I have to repeat post #3 in here [link]

when I go to some website. Once I do post #3, I can see the website. A PITA.

Staff
Per Hansson Per Hansson, TS Server Guru, said:

This news post seems to indicate all is not well even with Java 7 Update 11: [link]

Guest said:

Oracle not interesting this bug, just infected java installer downloadable from link and install millions, Oracle says not our problem, thats your problem, why installed, nobody told you must.

Shame on Oracle, let allow virus infected Java download.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.