Java 7 issues
Computerworld - Hackers are exploiting a zero-day vulnerability in Java 7, security experts said today.
The unpatched bug can be exploited through any browser running on any operating system, from Windows and Linux to OS X, that has Java installed, said Tod Beardsley, the engineering manager for Metasploit, the open-source penetration testing framework used by both legitimate researchers and criminal hackers.
David Maynor, CTO of Errata Security, confirmed that the Metasploit exploit -- which was published less than 24 hours after the bug was found -- is effective against Java 7 installed on OS X Mountain Lion.
"This exploit works on OS X if you are running the 1.7 JRE [Java Runtime Environment]," said Maynor in an update to an earlier blog post.
JRE 1.7 includes the most-current version of Java 7, dubbed "Update 6," that was released earlier this month.
Maynor said he was able to trigger the vulnerability with the Metasploit code in both Firefox 14 and Safari 6 on OS X 10.8, better known as Mountain Lion.
Although the exploits now circulating in the wild have been aimed only at Windows users, it's possible that Macs could also be targeted.
"What is more worrisome is the potential for this to be used by other malware developers in the near future," said Intego, a Mac-specific antivirus vendor, in a post to its own blog Monday. "Java applets have been part of the installation process for almost every malware attack on OS X this year."
The largest Mac malware campaign to date also involved Java. Flashback, which exploited a Java bug that at the time had not been patched by Apple, infected hundreds of thousands of Macs starting in early April 2012.
Apple stopped bundling Java with OS X starting with last year's Lion, a practice it continued with Mountain Lion. Those users, however, may still have Java installed; when a browser encounters a Java applet, it asks the user for permission to download the Oracle software.
People running the older Snow Leopard (2009) and Leopard (2007) are even more vulnerable to attacks, as Java came with those operating systems.
Apple still maintains Java 6, but Oracle is responsible for patching Java 7.
"The vulnerability is not in Java 6, it's in new functionality in Java 7," said Beardsley.
Beardsley called the bug "super dangerous," noting that it was "totally a drive by," meaning that attackers could compromise a Mac, or other personal computers, simply by duping users into browsing to a malicious or previously-hacked website that hosts the attack code.
Beardsley recommended that users disable Java until Oracle delivers a patch, advice seconded by virtually every security expert commenting on the new-found flaw.
Mac owners can disable the Java plug-in from within their browsers, or remove Java 7 from their machines. To do the latter, select "Go to Folder" from the Finder's "Go" menu, enter "/Library/Java/JavaVirtualMachines/" and drag the file "1.7.0.jdk" into the Trash.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS
Comments
-
Hi All,
For your info, the latest update of Java 7 is still vulnerable.
Please read the article below:-
http://news.cnet.com/8301-1009_3-57504640-83/new-vulnerabilities-found-in-latest-java-update/
Oracle Java is screw up!
New vulnerabilities found in latest Java update
Following its latest updates, more vulnerabilities have been uncovered in Oracle's Java 7 runtime.
August 31, 2012 3:50 PM PDTOnly hours after Oracle released its latest Java 7 update to address active exploits, security researchers found yet another vulnerability that can be exploited to run arbitrary code on systems that have the runtime installed.
Oracle's latest release of its Java 7 runtime has come under scrutiny in the past few weeks after it was found being actively exploited in malware attacks that target Windows systems. While so far the vulnerability has only been found being used against Windows, other platforms such as the Mac OS could potentially be targeted through the same exploit.
In response to these findings, Oracle broke its quarterly update schedule for Java and released update 7 for the runtime; however, even after this update, yet more vulnerabilities have been found. According to MacWorld, the Polish security firm Security Explorations is claiming to have discovered two new vulnerabilities in Java 7, which so far are proof-of-concept exploits that can be used to break the Java 7 sandbox and execute code. However, as with any vulnerability this opens new avenues for malware attacks.
Security Explorations is keeping the details about these latest vulnerabilities secret until Oracle addresses the problem, and has only stated that when exploited they allow rogue Java applets to break the Java sandbox and execute arbitrary code on the system.
Being only proof-of-concept attacks means that for now they should not pose much of a threat to Java users, and Oracle should address them in future updates. However, Oracle has recently met some criticism for its lackadaisical approach to addressing some known exploits. According to PCWorld, Oracle has known about these and other exploits since April of this year, and has not taken steps to close them.
These latest developments serve as a warning against using Java when not needed and also prematurely updating Java. Java 7 is still very early in its development, being only the seventh release so far, whereas prior runtimes have received over 30 updates to patch and manage vulnerabilities. As a result, if you need Java then you might consider installing a prior runtime version that has been well-tested, but if you do not need Java then you might consider avoiding installing it or removing it from your system if it is already installed.
Java 7 is an optional third-party installation for its supported operating systems, so only those who have installed it should be cautious of these vulnerabilities.