Systems Affected
Any system using Oracle Java 7 (1.7, 1.7.0) including
- JavaPlatform Standard Edition 7 (Java SE 7)
- Java SE Development Kit (JDK7)
- Java SE Runtime Environment (JRE 7)
All versions of Java7 through update 10 are affected. Web browsers using the Java 7 plug-inare at high risk.
Overview
A vulnerability in the way Java 7 restricts the permissions of Java appletscould allow an attacker to execute arbitrary commands on a vulnerablesystem.
Description
A vulnerability in the Java Security Manager allows a Java applet to gran****elf permission to execute arbitrary code. An attacker could use socialengineering techniques to entice a user to visit a link to a website hosting amalicious Java applet. An attacker could also compromise a legitimate web siteand upload a malicious Java applet (a "drive-by download"attack).
Any web browser using the Java 7 plug-in is affected. The JavaDeployment Toolkit plug-in and Java Web Start can also be used as attackvectors.
Reports indicate this vulnerability is being actively exploited,and exploit code is publicly available.
Further technical details areavailable in Vulnerability Note
VU#625617.
Impact
By convincing a user to load a malicious Java applet or Java NetworkLaunching Protocol (JNLP) file, an attacker could execute arbitrary code on avulnerable system with the privileges of the Java plug-in process.
Solution
Disable Java in web browsers
This and previous Javavulnerabilities have been widely targeted by attackers, and new Javavulnerabilities are likely to be discovered. To defend against this and futureJava vulnerabilities, consider disabling Java in web browsers until adequateupdates are available. As with any software, unnecessary features should bedisabled or removed as appropriate for your environment.
Starting withJava 7 Update 10, it is possible to disable Java content in web browsers throughthe Java control panel applet. From
Settingthe Security Level of the Java Client:
Forinstallations where the highest level of security is required, it is possible toentirely prevent
any Java apps (signed or unsigned) from running in abrowser by de-selecting Enable Java content in the browser in the JavaControl Panel under the Security tab.
If you are unable to updateto Java 7 Update 10 please see the solution section of Vulnerability Note
VU#636312 forinstructions on how to disable Java on a per-browser basis.
References
Revision History
- January 10, 2013: Initial release
- January 11, 2013: Updated language about disabling Java in web browsers