Oracle Java 7 Security Manager Bypass Vulnerability
Systems AffectedAny system using Oracle Java 7 (1.7, 1.7.0) including
- Java Platform Standard Edition 7 (Java SE 7)
- Java SE Development Kit (JDK 7)
- Java SE Runtime Environment (JRE 7)
OverviewA vulnerability in the way Java 7 restricts the permissions of Java applets could allow an attacker to execute arbitrary commands on a vulnerable system.
DescriptionA vulnerability in the Java Security Manager allows a Java applet to grant itself permission to execute arbitrary code. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate web site and upload a malicious Java applet (a "drive-by download" attack).
Any web browser using the Java 7 plug-in is affected. The Java Deployment Toolkit plug-in and Java Web Start can also be used as attack vectors.
Reports indicate this vulnerability is being actively exploited, and exploit code is publicly available.
Further technical details are available in Vulnerability Note VU#625617.
ImpactBy convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process.
SolutionDisable Java in web browsers
This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment.
Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. From Setting the Security Level of the Java Client:
For installations where the highest level of security is required, it is possible to entirely prevent any Java apps (signed or unsigned) from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab.If you are unable to update to Java 7 Update 10 please see the solution section of Vulnerability Note VU#636312 for instructions on how to disable Java on a per-browser basis.
- Vulnerability Note VU#625617
- Setting the Security Level of the Java Client
- The Security Manager
- How to disable the Java web plug-in in Safari
- How to turn off Java applets
- Securing Your Web Browser
- Vulnerability Note VU#636312
- January 10, 2013: Initial release
- January 11, 2013: Updated language about disabling Java in web browsers
Can you follow that?
I couldn't. I get there's a problem but how to fix it was beyond me. Cedric read it and tried to do it on our computers. He had no luck.
We finally called C.I. and felt bad because we didn't realize how late it was. She was fine with it. She said give her ten minutes to get somewhere quiet and at a computer and she'd talk us through.
So she did and we uninstalled it in programs and went through all our browsers disabling it as well. I hope that did it.
I wish I could give you some info on how that happened. My computer knowledge is, hit the button and it comes on. Say thank you for the miracle.
Now C.I. always says she doesn't know about computers but she does. She knows a ton about computers. One time, I was being hacked, I couldn't control anything on the computer. I was in my blogging template and it was going up and down, up and down and I had other screens open and they were dancing around. I was freaking out.
C.I. told me to shut it down and go into safe mode (which I had to be talked through). Once I was in that, she had me do three or four things and then boot up in regular mode so she could 'dial' in and then she started doing all this stuff on the computer -- screens were flipping, it was something. And then she said to me, "All done. You should be fine." And I never had that problem again. And if you ask her, she'll say she's not really sure. Which either really means, it's too complicated to explain or she's just intuitive about computers, I don't know.
If you know a way to disable Java that's easy, feel free to leave the directions in comments. But do work at disabling it.
This is C.I.'s "Iraq snapshot:"