JAVA = Just Awaiting Vulnerability Attack? Sophos and others have found more evidence that cybercriminals are already using the latest zero-day security flaw in Java to infect computers with malware.
The exploit has even been included in some popular hacking tools and KrebsonSecurity note that “the latest figures suggest that these vulnerabilities have exposed more than a billion users to attack”.
I reviewed this flaw on Tuesday after it came to light and noted that Oracle’s next scheduled critical patch update for Java is not until October 16 – the last one was in June.
So it’s even more annoying to find out that Oracle were apparently warned way back in April of this vulnerability – and a host of others, 31 Java security issues in total. That should have been ample time to fix them in the June update but apparently they only fixed 2 of the 31 issues…
Oracle do not appear to have issued any public statement and there’s no mention of this security fiasco on their (very active) Twitter account.
UPDATED August 31 – Oracle have just released a new version of Java 7 (Update 7) to fix the zero day flaw (4 fixes in total) and a new Java 6 version (Update 35) to fix 1 security issue. Only another 25 to go then…
Java is a huge target for malware writers to attack – it is especially attractive because it is installed on so many computers (84% of visitors to TechLogon) and it is cross-platform i.e. can be installed on Windows, Mac OS X and Linux computers.
Microsoft do not come out of this mess smelling of roses either. Best security advice is to disable Java in your web browser at least (preferably uninstall it completely) but Microsoft’s Internet Explorer makes that almost impossible.
“Due to the complexity and impracticality of disabling Java in Internet Explorer, you may wish to uninstall Java to protect against this vulnerability. If Java is still needed, consider installing the latest version of Java 6”.
Why So Difficult to Disable In IE?
IE’s security is poor – it ignores settings you make in ‘Manage Add-ons’ to disable Java. In IE there are several ways to invoke a Java applet – and several ways to configure Java support.
Oracle detail these multiple scenarios here – webpages can use Object, Embed or Applet tags to invoke Java so all possibilities must be disabled.
What can we learn from this debacle?
Uninstall Java 7 completely.
Don’t replace it if at all possible – this latest breach of security is just one of 29 security issues still to be fixed – after 4 months…
If you absolutely must, install the latest version of Java 6 (Update 34 at time of writing) from Oracle here.
Disable Java in Chrome, Firefox, Safari etc.
Don’t use IE.