Tuesday, August 28, 2012

New Exploit Hits Java On All Operating Systems and Browsers

A new Java zero-day vulnerability has been detected that allows attackers to execute arbitrary code on a client systems and several attacks have already been spotted in the wild. Prompting security researchers to warn users they might want to disable, or completely remove Java from their machine.

The vulnerability is found in the latest version of Java 7, which most of your updated machines should be running. At this time it is believed that the exploit only works against Windows based machines. However, researchers say that the exploit could just as easily be used to attack machines running Linux or Mac OS X, given the appropriate payload.

All browsers running on these systems were found to be vulnerable if they had the Java plugin installed, including Chrome, Firefox, Internet Explorer, Opera, and Safari.

Security vendor Rapid 7 has set up a site that will detect the version of Java that is running in the user's browser and tell her whether it contains the newly discovered Java vulnerability.  If the site detects the Java plugin on your specific browser it will prompt you to disable it. It should be noted that you might want to test it with all the browsers you have installed, just in case.

Oracle has not released an official statements on the new Java flaw, but unfortunately the next scheduled patch release is not until mid-October. Since Oracle does not release emergency patches that often the best course of action right now is to disable Java in any browser that you use regularly.

How to disable Java in Google Chrome:

  • Go to the wrench in the upper right corner of the browser window
  • Click on settings and search for Java in the search box
  • Click on the highlighted Content Settings button and then scroll down to the Plug-ins entry
  • Select Disable Individual Plugins and then click on Disable Java

How to disable Java in Mozilla Firefox:

  • Click on the Firefox tab in the top left corner and then click Add-ons
  • Select Plug-ins and then click Disable on Java

How to disable Java in Safari:

  • Click Preferences, and then the Security tab (uncheck “Enable Java”)

How to disable Java in Opera

  • Enter about:config in the address bar
  • Click the Java heading to expand that section, un-check the checkbox, and click the Save button

How to disable Java in Internet Explorer

Unfortunately for Internet Explorer users disabling Java seems to be much more complex. The U.S. Computer Emergency Response Team (USCERT) lists these steps which may or may not completely remove Java from IE. There is also a simple setting that should disable Java for IE and Firefox at the same time:

  • Open Control Panel and launch the Java applet. If you don't see it, switch to Classic View (in XP) or small icons (in Windows 7 or Vista).
  • Click the Advanced tab and expand the item titled Default Java for browsers.
  • Un-check the boxes for Microsoft Internet Explorer and for Mozilla family. You may need to click the item and press spacebar in order to clear the checkmarks.
  • Click OK and you're done.
**Update: The above steps may or may not work for you. I could not get the setting to save no matter what I did!

Once you've followed these steps to be sure you've succeeded, visit the Java test page at http://java.com/en/download/testjava.jsp from each of the browsers you use.

Personally I rarely use Java, so I suggest completely un-installing it from your machines. Oracle may or may not release an emergency patch. But even if they don't I can do without it for a few months.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you