Attackers have seized upon a security hole in Oracle’s ubiquitous Java software to break into vulnerable systems. Within days of its discovery it appears that the new zero day flaw could soon become widespread.
The original report from FireEye indicates that initial attacks exploiting this weakness, emanating from a Chinese web server, have been targeted and not widespread. However, subsequent information from security sources is suggesting that the exploit code is now public and being folded into more widely-available attack tools such as Metasploit and exploit kits like BlackHole (the most commonly used exploit pack utilized by criminals).
What you should know:
- The flaw affects all versions of Oracle’s Java 7 (version 1.7) on all supported platforms. Java 6 and earlier remain unaffected.
- Unless Oracle departs from its normal update release policy, the next patch is not scheduled until the middle of October.
- All major browsers are affected. Initial reports indicating that the exploit code would not work against Google Chrome have now been debunked with the news that there is a Metasploit module under development which is successful against the Chrome browser.
What you should do:
- To find out if java is installed on your system and identify which version, go to java.com and click on the “Do I have Java” link.
- Immediately disable the Java plug-in in your browser(s) – (guides pertaining to each browser can be accessed via this advisory.)
- If you absolutely must have Java for certain sites – utilize a secondary browser for those sites only, with the plug-in enabled.
- The ultimate solution would be to uninstall Java altogether.
Credit where credit is due:
You heard it first on DCT – Our fearless leader (yes Dave) published an article back in November last year … You should junk your Java! … which explains the ultimate (and permanent) solution in detail. Dave’s article was not only very sound advice but, as it turns out, also somewhat prophetic
I don’t like Java – unless its in a coffee cup 🙂
Agreed! I stopped installing it several years ago-not due to security concerns (at the time),but because I never found a need for it.Still haven’t!
My daughter indicates a couple websites she visits require it,so it’s disabled and used on demand.I would just as soon see it gone,but you can’t tell a 14 year old anything-apparently they already know everything!
i uninstalled java when i first heard about the problem..a week or so ago? anyway nothing has changed..in other words i don’t miss it and no need for it has come up. so what was the point of java in the first place lo those many years ago?
A wise decision IMHO!
Oracle released updates for both Java 7 and Java 6 several days after this article was published. Obviously, the widespread [bad] publicity motivated Oracle to act outside its normal update regimen.
Now news is rife that the update issued to fix the flaw includes yet another new/different vulnerability… it appears that it will now be necessary for Oracle to issue a patch to patch the flaw in the patch which was issued to patch the flaw. 🙂
And on it goes!
Maybe they should change their name to Orifice D:
LOL – Cracked me up!
If I ditch Java won’t I loose all the functionality that Java applets offer? i.e., what is the downside to ditching Java?