The new Oracle Java arbitrary code execution vulnerability has not only hit many news wires and social media outlets, but many victims as well, and it has been incorporated into several exploit kits. This critical vulnerability, as documented in IntelliShield alert 27845, could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system with the privileges of the user. If the user has administrator privileges, the attacker could completely “own” the system. A fix is currently not available.
Update: Oracle released a software update (JDK7 update 11) that fixes this vulnerability. The update is available on their website. If you disabled Java in the Java Control Panel, you will need to manually re-enable it after installing the patch by using the check box in the Security tab of the Java Control Panel. Oracle’s security advisory and JDK7 update 11 release notes includes more information about the patch.
The exploit is now found in several exploit kits!
There are many reports that the vulnerability is being “exploited in the wild”. Not only is the exploit publicly available, but it has been incorporated into exploit kits such as Blackhole, Cool, and Nuclear Pack. Exploit kits make it easy for criminals to spread malicious software using exploits that take advantage of well-known and new vulnerabilities. New exploit kits are loaded with some of the most dangerous zero-day exploits (including this one) and other features, which allow criminals to increase their profits.
The impact to the public is huge! Java is used by millions of users around the world. It is used in Microsoft Windows, Apple’s Mac OS-X, and Linux systems, as well as many mobile devices.
What’s the difference between this Java vulnerability and the one from 2012?
This Java vulnerability is due to improper security protections on built-in classes in the Java Runtime Environment. An unsigned Java applet can use the setSecurityManager() function to bypass security checks and access an elevated security context. There are a few allegations that the exploit for this new Java vulnerability (CVE-2013-0422) is very similar to the Java vulnerability reported late last year (CVE-2012-5088); however, it seems they are fairly different. This article describes some of the technical details of the exploit.
How can I protect my system?
Because a fix is not currently available, users are strongly advised to disable Java and the Java plug-in in web browsers. The following links include step-by-step instructions about how to disable Java in different web browsers:
- How to disable the Java web plug-in for Safari
- Disabling plug-ins for Chrome
- How to turn off Java applets for Firefox
- How to disable the Java web plug-in for Internet Explorer
If you are using Java 7 Update 10 or later, you can execute the Java installer with the WEB_JAVA=0 command-line option. Oracle’s Java documentation has more detailed information about this feature.
Cisco has released an Intrusion Prevention System (IPS) signature (signature ID 1804/0). Network and security administrators can use this signature in Cisco IPS appliances and services modules to provide threat detection and help prevent attempts to exploit this vulnerability.
For the latest updates about this vulnerability and all other threat and vulnerability data, remember to visit Cisco SIO at cisco.com/security.
Looking through the CVE page it doesn’t appear to affect 1.6.036+. However, all versions of 1.7 are. Can we confirm this? I didn’t update to 1.7 because there were known vulnerabilities in it when it asked me to update but couldn’t find anything in 1.6.035(that I was on at the time). It’s worth looking at if they or people individually could just re-mediate to 1.6.037 and still maintain full functionality of Java.
Hi Chris, thank you for your comment! You have a very good point! This vulnerability is limited to JDK7. All other releases of Java are not affected. However, there are other vulnerabilities in those earlier versions of code that can also have serious implications. One additional note is that this vulnerability does not affect Java applications directly installed and running on servers, desktops, laptops, phones, and other devices. It only affects the browser plug-ins. Therefore, this is why many are recommending disabling Java in web browsers.
Glad to see it’s just the web plugin that is vulnerable. I still haven’t found anything that is hitting 1.6 update 36 or 37. Ideally, people should just stop clicking through things that they didn’t ask for. We both know that will never happen.
Because a fix is not currently available, users are strongly advised to disable Java and the Java plug-in in web browsers.
Quick update: Oracle released a software update that fixes this vulnerability. The update is available on their website. If you disabled Java in the Java Control Panel, it will need to be manually re-enable it after installing the patch by using the check box in the Security tab of the Java Control Panel. I have updated the post with the appropriate links.