Zero-day exploit hits Java – should you just turn it off?
The discovery of a zero-day vulnerability in Oracle’s Java 7 has prompted calls for users to turn off Java in their browsers until a patch is issued, something feds and other government managers might want to think about, too.
The flaw is being exploited in active, though so far limited, attacks that are originating from a server in China, according to security researcher Atif Mushtaq at FireEye, who first reported the flaw on Aug. 26.
The attacks download the Poison Ivy RAT (for Remote Access Trojan), which takes commands from a remote server. The vulnerability exists only in Java 7 (1.7) Update 0 to 6, not earlier versions, and works in all versions of Internet Explorer, Firefox and Opera, according to researchers Andre DiMino and Mila Parkour at DeepEnd Research, who also have examined the Trojan. Meanwhile, Rapid 7, which maintains the Metasploit bank of exploits for penetration testing and hacking, said it had developed an exploit that also works against Chrome.
The Metasploit exploit reportedly works against patched versions of Windows 7, as well as against IE and Firefox on Vista and XP, Chrome on XP and Firefox on Ubuntu Linux 10.04.
In developing the Federal Desktop Core Configuration for standardizing agency systems, the National Institute of Standards and Technology originally banned the use of Java because of security concerns. But in August 2008, NIST said agencies could enable Java on approved websites.
Although reports of attacks are few so far, security researchers say the potential threat is serious because of Java’s ubiquity and because Oracle issues its patches quarterly, with the next one not due until October. Unless the company issues an emergency patch, unsuspecting users could be vulnerable to drive-by attacks.
Security writer Brian Krebs is among those advocating turning Java off. He said Windows users can check to see if they’re running Java by going to Java.com and clicking the “Do I have Java?” links and Mac users can check Software Updates.
If you use websites or programs that require Java, Krebs recommended using two browsers — one with Java turned off for most web use, and one with it enables for the must-have programs.
Andy Greenberg of Forbes pointed to instructions for disabling Java for Firefox, Chrome and Safari, and for IE.
DiMino and Parkour of DeepEnd Research, meanwhile, have developed an unofficial patch for anyone who really needs Java, although third-party patches aren’t generally recommended.
They also said downgrading to an earlier version of Java was not a good idea because of all the vulnerabilities vulnerabilities that exist in those older versions.
Until an official patch is issued, disabling Java wherever possible could be the best option.