January 14, 2013
Oracle Corp. released an emergency update Jan. 13 to fix security flaws in its Java software that had the U.S. Department of Homeland Security urging users last week to disable the program.
“Oracle has just released Security Alert CVE-2012-0422 to address two vulnerabilities affecting Java in web browsers,” reads a post on Oracle’s Software Security Assurance Blog. “Oracle recommends that this security alert be applied as soon as possible because these issues may be exploited ‘in the wild’ and some exploits are available in various hacking tools.”
Oracle said it has also switched Java’s security settings to “high” by default, making it harder for suspicious programs to run on a personal computer without the user’s knowledge.
The vulnerabilities were found only in the JDK7 version of the software. Java applications directly installed and running on servers, desktops, laptops and other devices are not at risk.
According to the U.S. Computer Emergency Readiness Team, any system using Oracle Java 7 including Java Platform Standard Edition 7 (Java SE 7), Java SE Development Kit (JDK 7) or Java SE Runtime Environment (JRE 7) are at risk.
“All versions of Java 7 through update 10 are affected,” the agency’s website reads. “Web browsers using the Java 7 plug-in are at high risk.”
Java security expert Adam Gowdiak, who discovered several bugs in the software last year, told Reuters the update from Oracle has not addressed all of the security flaws.
“We don’t dare to tell users that it’s safe to enable Java again,” Gowdiak, a researcher with Poland’s Security Explorations, was quoted by Reuters.
Hackers discovered a vulnerability in the Java Security Manager which enables them to commit crimes such as identity theft. The issue is, Java Security Manager allows a Java applet to grant itself permission to execute arbitrary code.
“An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate website and upload a malicious Java applet,” the website reads.
“Any web browser using the Java 7 plug-in is affected. The Java Deployment Toolkit plug-in and Java Web Start can also be used as attack vectors. Reports indicate this vulnerability is being actively exploited, and exploit code is publicly available.”
Java software can run on almost any type of computer, including those that use Microsoft Corp’s Windows, Apple’s OS X and Linux.
Java is accessed through modules, or plug-ins, that run the software on top of browsers such as Internet Explorer or Firefox.
“This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered,” the U.S. Computer Emergency Readiness Team website reads. “To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment.”
Those affected should follow these instructions from the U.S. Computer Emergency Readiness Team:
Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. From Setting the Security Level of the Java Client: For installations where the highest level of security is required, it is possible to entirely prevent any Java apps (signed or unsigned) from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab.
If you are unable to update to Java 7 Update 10 please see the solution section of Vulnerability Note VU#636312 for instructions on how to disable Java on a per-browser basis.