Last week, researchers discovered a Java vulnerability being widely exploited online, as it was included in several crime kits, including Blackhole and Cool Exploit. On Sunday, Oracle released a patch in order to address the issue, but some experts doubt it will help.
SecurityWeek reported on the issue last Thursday. Jamie Blasco, the labs manager at AlienVault, wrote that they were able to confirm details sent to them by a researcher in France, and that the newly-minted flaw in Java was similar to one uncovered last year. Their announcement was followed by others, including one from DHS, which urged users to disable to third-party software.
“By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability,” an advisory from US-CERT explains.
This latest threat, as is the case with most Java vulnerabilities, opens the floodgates for attackers because Java itself is cross-platform. Thus, with a little work, the same vulnerability can be used to target Windows systems, Mac OS X, and Linux at the same time. Though, this rarely happens.
Oracle, in their patch announcement on Sunday, urged all users to update as soon as possible. However, Adam Gowdiak, a researcher in Poland with Security Explorations, says his firm will hold-off from telling their customers that Java is safe to use again. The decision is due to the sheer volume of issues his firm discovered over the last year.
If Java isn’t needed, the recommendation is that it be uninstalled from a given system. If it needs to be installed, then Oracle has offered guidance for disabling it in the browser, the details of which are here.
“This fix is available now as Java 7u11 and anyone who uses Java in their browser should update immediately," Ross Barrett, Senior Manager of Security Engineering at Rapid7 said in an emailed statement. "This fix also changes the default Java browser security settings to require user consent to execute Java applets which are not digitally signed, or are self-signed. This indicates that Oracle has made a minor concession against ease-of-use to try to protect users from the *next* time a Java vulnerability is exploited in the wild."