Zero-day exploit hits Java – should you just turn it off?

The discovery of a zero-day vulnerability in Oracle’s Java 7 has prompted calls for users to turn off Java in their browsers until a patch is issued, something feds and other government managers might want to think about, too.

The flaw is being exploited in active, though so far limited, attacks that are originating from a server in China, according to security researcher Atif Mushtaq at FireEye, who first reported the flaw on Aug. 26.

The attacks download the Poison Ivy RAT (for Remote Access Trojan), which takes commands from a remote server. The vulnerability exists only in Java 7 (1.7) Update 0 to 6, not earlier versions, and works in all versions of Internet Explorer, Firefox and Opera, according to researchers Andre DiMino and Mila Parkour at DeepEnd Research, who also have examined the Trojan. Meanwhile, Rapid 7, which maintains the Metasploit bank of exploits for penetration testing and hacking, said it had developed an exploit that also works against Chrome.

The Metasploit exploit reportedly works against patched versions of Windows 7, as well as against IE and Firefox on Vista and XP, Chrome on XP and Firefox on Ubuntu Linux 10.04.

In developing the Federal Desktop Core Configuration for standardizing agency systems, the National Institute of Standards and Technology originally banned the use of Java because of security concerns. But in August 2008, NIST said agencies could enable Java on approved websites.

Although reports of attacks are few so far, security researchers say the potential threat is serious because of Java’s ubiquity and because Oracle issues its patches quarterly, with the next one not due until October. Unless the company issues an emergency patch, unsuspecting users could be vulnerable to drive-by attacks.

Security writer Brian Krebs is among those advocating turning Java off. He said Windows users can check to see if they’re running Java by going to Java.com and clicking the “Do I have Java?” links and Mac users can check Software Updates.

If you use websites or programs that require Java, Krebs recommended using two browsers — one with Java turned off for most web use, and one with it enables for the must-have programs.

Andy Greenberg of Forbes pointed to instructions for disabling Java for Firefox, Chrome and Safari, and for IE.

DiMino and Parkour of DeepEnd Research, meanwhile, have developed an unofficial patch for anyone who really needs Java, although third-party patches aren’t generally recommended.

They also said downgrading to an earlier version of Java was not a good idea because of all the vulnerabilities vulnerabilities that exist in those older versions.

Until an official patch is issued, disabling Java wherever possible could be the best option.

Reader Comments

Thu, Aug 30, 2012 Miguel G US

Oracle has now released a patch for this: Oracle Security Alert for CVE-2012-4681 was released on August 30, 2012.

This Security Alert addresses security issues CVE-2012-4681 (US-CERT Alert TA12-240A) and two other vulnerabilities affecting Java running in web browsers on desktops

Wed, Aug 29, 2012

If you use a Chromebook, this is a non issue.

Wed, Aug 29, 2012 Terry Schneider Hillsborough, NC

This probably would have happen if Sun Microsystem was still in business and Java was controlled by them. Larry Ellison only care about money and not how well the product works. He had a moral commitment to keep Java viable. I had noticed many problems with Java after he brought Sun. Java needs to be taken away from Oracle and maintained by a group who cares or a replacement needs to be developed.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above