Perhaps due to their high market penetration, or maybe because of poor coding, Adobe Flash and Java have emerged as the two most widely attacked platforms on Windows, Mac OS X, and Linux alike. Indeed Adobe just recently patched a new Flash vulnerability, and now it is Java’s turn.
A new Java 7 (also known as Java 1.7) exploit has been discovered that allows hackers to install malware on Windows, Mac OS X, and Linux machines. According to reports, in-the-wild attacks using this exploit are currently only targeting Windows but the exploit can be easily reworked for Mac OS X and Linux machines that have the latest version of Java installed. The exploit allows hackers to gain access to infected computers and execute malicious outside of Java. Of the attacks discovered so far, the attack vector has been infected websites and the attacks have installed Poison Ivy Remote Access Trojan on infected machines.
What is remarkable about this exploit is it circumvents Java’s security sandbox, a feature of Java that is supposed to restrict malicious Java code to just Java and not allow access to other parts of your system. So much for that.
Oracle has yet to respond to news of this new exploit; thus, this bug has not been patched (aside from an unofficial patch that you can request from two security researchers — it isn’t recommended that you go for the unofficial patch because it can cause instabilities) and there is no time frame on when a patch will be released. The next scheduled Java patch is for mid October so unless Oracle introduces an emergency update, the earliest possible this will get fixed is October. Until this is fixed, security experts are suggesting users uninstall Java, if you don’t use Java for any programs (such as OpenOffice). If you do use Java, then at least disable Java in your browser to protect yourself from drive-by attacks. If you don’t want to disable Java at all, you can downgrade to an earlier version of Java to protect yourself from this particular exploit but downgrading is not recommended because earlier versions of Java have their own problems.