Attackers have seized upon a security hole in Oracle’s ubiquitous Java software to break into vulnerable systems. Within days of its discovery it appears that the new zero day flaw could soon become widespread.
The original report from FireEye indicates that initial attacks exploiting this weakness, emanating from a Chinese web server, have been targeted and not widespread. However, subsequent information from security sources is suggesting that the exploit code is now public and being folded into more widely-available attack tools such as Metasploit and exploit kits like BlackHole (the most commonly used exploit pack utilized by criminals).
What you should know:
- The flaw affects all versions of Oracle’s Java 7 (version 1.7) on all supported platforms. Java 6 and earlier remain unaffected.
- Unless Oracle departs from its normal update release policy, the next patch is not scheduled until the middle of October.
- All major browsers are affected. Initial reports indicating that the exploit code would not work against Google Chrome have now been debunked with the news that there is a Metasploit module under development which is successful against the Chrome browser.
What you should do:
- To find out if java is installed on your system and identify which version, go to java.com and click on the “Do I have Java” link.
- Immediately disable the Java plug-in in your browser(s) – (guides pertaining to each browser can be accessed via this advisory.)
- If you absolutely must have Java for certain sites – utilize a secondary browser for those sites only, with the plug-in enabled.
- The ultimate solution would be to uninstall Java altogether.
Credit where credit is due:
You heard it first on DCT – Our fearless leader (yes Dave) published an article back in November last year … You should junk your Java! … which explains the ultimate (and permanent) solution in detail. Dave’s article was not only very sound advice but, as it turns out, also somewhat prophetic