New Java 7 exploit allows hackers to install malware on Windows, Mac OS X, and Linux; only fix currently is to disable Java

Perhaps due to their high market penetration, or maybe because of poor coding, Adobe Flash and Java have emerged as the two most widely attacked platforms on Windows, Mac OS X, and Linux alike. Indeed Adobe just recently patched a new Flash vulnerability, and now it is Java’s turn.

A new Java 7 (also known as Java 1.7) exploit has been discovered that allows hackers to install malware on Windows, Mac OS X, and Linux machines. According to reports, in-the-wild attacks using this exploit are currently only targeting Windows but the exploit can be easily reworked for Mac OS X and Linux machines that have the latest version of Java installed. The exploit allows hackers to gain access to infected computers and execute malicious outside of Java. Of the attacks discovered so far, the attack vector has been infected websites and the attacks have installed Poison Ivy Remote Access Trojan on infected machines.

What is remarkable about this exploit is it circumvents Java’s security sandbox, a feature of Java that is supposed to restrict malicious Java code to just Java and not allow access to other parts of your system. So much for that.

Oracle has yet to respond to news of this new exploit; thus, this bug has not been patched (aside from an unofficial patch that you can request from two security researchers — it isn’t recommended that you go for the unofficial patch because it can cause instabilities) and there is no time frame on when a patch will be released. The next scheduled Java patch is for mid October so unless Oracle introduces an emergency update, the earliest possible this will get fixed is October. Until this is fixed, security experts are suggesting users uninstall Java, if you don’t use Java for any programs (such as OpenOffice). If you do use Java, then at least disable Java in your browser to protect yourself from drive-by attacks. If you don’t want to disable Java at all, you can downgrade to an earlier version of Java to protect yourself from this particular exploit but downgrading is not recommended because earlier versions of Java have their own problems.

[via ArsTechnica | Image via Joelk75]

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

24 comments

  1. Eric

    @Peter:
    I was wrong about not being able to reply to comments. NoScript was what was preventing that. NoScript seems to interfere with the normal function of almost all sites unless you put them in your whitelist or whatever.

  2. Ebo

    @Zapped Sparky: Actually, that’s a meme, and Java updates aren’t that infrequent. If this were really the case, then we’d see more browser-based exploits. But browsers are subject to ASLR, which is why browser-based exploits generally only work on XP and earlier, even if it takes months to patch a vuln. No, my original statement stands. :)

  3. Mr.Dave

    This looks like something the NoScript extension (in Firefox) would prevent – it blocks all scripts from running, lets you allow them by site. So your trusted sites still work, and others you can see what script needs to run, research it on the web (or middle-click to see WOT, Google and other ratings of the questioned site). Then you decide to allow always, one time, or not at all.

    If you simply disable the Java plugin in Firefox, you can’t even post a comment on DotTech. I just tried!

  4. Zapped Sparky

    @Ebo: Java and Adobe Flash are targeted not only because practically every machine has it but probably because of the lack of updates. Someone finds an exploit and often some considerable time has passed before it’s patched. *cough* adobe reader *cough* :)

  5. AFPhys

    Thanks to those above who answered my concerns as to whether Java R6 is considered safe from this exploit.

    I sure wonder why the article seems to indicate that Linux machines (by that I mean “root”) would be vulnerable to this exploit, no matter how it were to be reworked. Not much is able to get past the security Linux has built in.

  6. DMC

    @Janet:

    To check your current version of Java, simply go to the Control Panel, double-click on the Java Icon, and click on “About”.

    Just so you know, you can also check your current version of Adobe Flash Player by also going to the Control Panel, double-clicking on the Flash Player icon, selecting the Advanced tab, and clicking on “Check Now”.

    I hope this helps.

  7. DoktorThomas

    What can one say about “scheduled” security up-dates?
    Morpheus says don’t ask the Oracle, or Adobe.
    Big IT seems to be the weakest security point in contemporary PC-ing; apparently the lion share of their resources go to fat corporate management and crumbs to R&D. That is the current industry standard.
    Disable scripts and surf more securely–don’t frequent sites that require scripts to display. And, of course, complain at sites that use scripts… they all think they know more than we do.

  8. Ebo

    The reason Java and Adobe Flash are so frequently exploited is because they are the two most widely used, Internet-facing platforms that don’t use ASLR, and so they are the the most reliable attack vectors. If an exploit works once, then it will likely continue to work as expected – barring aftermarket variables like heuristic detection, IPS detection, etc. – until patches are released and deployed.