Not so fast: Java 7 Update 7 critical vulnerability discovered in less than 24 hours

Published: 2012-08-31
Last Updated: 2012-08-31 18:13:32 UTC
by Russ McRee (Version: 1)
6 comment(s)

Polish security firm Security Explorations has sent an advisory, with a proof-of-concept exploit, to Oracle today (Friday 31 AUG) specific to a vulnerability they discovered in the Java 7 security update released Thursday.  This newly reported vulnerability can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system.
Standby for more on this one, no word yet from Oracle regarding their remediation plans.

As Rapid7's Tod Beardsley has said: "As it happens, very few websites rely on Java for dynamic content. Java isn't relied on nearly as much as Javascript and Flash. Most people can disable their Java browser plugin and not really notice the difference."

What mitigations are you utilizing to protect yourselves? Going so far as disabling Java all together? Feedback welcome via comments.

See Scott's post from yesterday for the original advisory details.

Russ McRee | @holisticinfosec



6 comment(s)


Well more and more B2B services is based on java because of faster Development.
So the real danger here is when companies using these services is been hacked, and the hacker get hold on important information.
Regards Robert
I do not have it installed on any home computers. At work, sadly, we use Oracle HRMS and it requires it. It's also the application that usually keeps us from upgrading the JRE on the desktops. We also use a lot of local government websites for document lookups and not only do they love Java, they love to use unsigned ActiveX controls or they use signed ActiveX controls where the code signing certificate expired years ago. Or their Java code signing certificate expired years ago. <sigh>
Using regular expressions at our web firewall, we are blocking access to all *.java *.class and *.jar files except for whitelisted sites.
Here in Denmark, you are forced to have Java installed, as all your interaction with the city/government uses a Java implementation of challlenge/response OTP on paper for identifying you.
All sensible persons was against requiring client Java (The applets needs to have full control over your machine, such that the government can use it to install spyware ^H^H^H^H^H^H check your machine for malware (which they do not do)). But it is difficult to talk sense into government or their semi-public implementation partners.
Other government sites, like import/export registration not only requires Java, but often breaks if you have installed a version not at least 10 patches old.

All this just shows how government organizations is completely out of touch with the real world.

Rumors are, that the citizen ID will move to a non-Java implementation within a couple of years, but they are always late with their implementations. The problem is, that all the sites depending on citizen ID will not work in most browsers (mobile devices).

The danish government puts its citizens at risk.
This article provided some options.

I reviewed and because we have to have it for a few internal applications, but may only need for a VERY limited few external applications, I believe that method 2 (Java only working in TRUSTED sites) may be a fairly safe configuration. You would then have to manage Trusted sites for business users, but seems like it would be fairly easy to manage AND allow granularity based on Group membership (policy driven Registry Management).
Through Group Policy, we use zone mapping to control what websites are permitted to run active content. We're small so the list of sites is managable (around 75 or so). Also, less than a handful of trusted users have local admin rights on their PCs.

Diary Archives