New Java 7 exploit allows hackers to install malware on Windows, Mac OS X, and Linux; only fix currently is to disable Java
August 28, 2012 24
Email article | Print article 
Perhaps due to their high market penetration, or maybe because of poor coding, Adobe Flash and Java have emerged as the two most widely attacked platforms on Windows, Mac OS X, and Linux alike. Indeed Adobe just recently patched a new Flash vulnerability, and now it is Java’s turn.
A new Java 7 (also known as Java 1.7) exploit has been discovered that allows hackers to install malware on Windows, Mac OS X, and Linux machines. According to reports, in-the-wild attacks using this exploit are currently only targeting Windows but the exploit can be easily reworked for Mac OS X and Linux machines that have the latest version of Java installed. The exploit allows hackers to gain access to infected computers and execute malicious outside of Java. Of the attacks discovered so far, the attack vector has been infected websites and the attacks have installed Poison Ivy Remote Access Trojan on infected machines.
What is remarkable about this exploit is it circumvents Java’s security sandbox, a feature of Java that is supposed to restrict malicious Java code to just Java and not allow access to other parts of your system. So much for that.
Oracle has yet to respond to news of this new exploit; thus, this bug has not been patched (aside from an unofficial patch that you can request from two security researchers — it isn’t recommended that you go for the unofficial patch because it can cause instabilities) and there is no time frame on when a patch will be released. The next scheduled Java patch is for mid October so unless Oracle introduces an emergency update, the earliest possible this will get fixed is October. Until this is fixed, security experts are suggesting users uninstall Java, if you don’t use Java for any programs (such as OpenOffice). If you do use Java, then at least disable Java in your browser to protect yourself from drive-by attacks. If you don’t want to disable Java at all, you can downgrade to an earlier version of Java to protect yourself from this particular exploit but downgrading is not recommended because earlier versions of Java have their own problems.
[via ArsTechnica | Image via Joelk75]
About the author: Ashraf View all posts by Ashraf
Related »
![[Windows] Replace system or restricted files without reboot with ‘SysMate- System File Walker’](http://cdn.dottech.org/media/2013/06/SysMate-UI-134x90.png)
![[Windows] Securely hide or encode text through digital steganography with Text to Color](http://cdn.dottech.org/media/2013/06/Text-to-Color-UI-134x90.png)
![[Mac OS X] Stop pressing the ‘Delete’ key with Don’t Look Back](http://cdn.dottech.org/media/2013/06/Screen-shot-2013-06-15-at-4.37.09-PM-134x90.png)
![Microsoft uses Siri to bash the iPad, again [Video]](http://cdn.dottech.org/media/2013/06/microsoftad-134x90.jpg)
24 Comments »
Leave A Response »
The reason Java and Adobe Flash are so frequently exploited is because they are the two most widely used, Internet-facing platforms that don’t use ASLR, and so they are the the most reliable attack vectors. If an exploit works once, then it will likely continue to work as expected – barring aftermarket variables like heuristic detection, IPS detection, etc. – until patches are released and deployed.
And I just upgraded to Java 7 last week and started using the java based Jdownloader yesterday. Just my luck! I guess Noscript will at least keep Firefox safe, right?
@Eric: better disable the java plugin.
Press Ctrl-Shift-A, select “plugins” and click on the appropriate “Disable”-buttons.
@Peter:
Thanks Peter. There is a problem though. I couldn’t even reply to this comment without re-enabling javascript so how did you do it?
How do we know if we have Java 7? Is that the folder jre7?
Is Java [7] different from Java[FX 2.1] Runtime?
@Janet:
Don’t know about FX 2.1 but (random, scary link you probably don’t want to click on) http://isjavaexploitable.com/ will tell you what version of Java you are using. I got that link from MajorGeeks here (not as scary link) http://www.majorgeeks.com/story.php?id=35660
Sorry Ashraf if I am not supposed to post links. I didn’t see anything telling me not to.
FWIW, Java’s V.6 is unaffected by this and most AV’s will protect against it as well.
we can get the latest Java 6 releases from the following page (scroll down about 1/3rd of the page)
http://www.oracle.com/technetwork/java/javase/downloads/index.html
Java 6 is still being updated (current version – at time of posting – is 6u34 which was released at the same time as Java 7u6)
What can one say about “scheduled” security up-dates?
Morpheus says don’t ask the Oracle, or Adobe.
Big IT seems to be the weakest security point in contemporary PC-ing; apparently the lion share of their resources go to fat corporate management and crumbs to R&D. That is the current industry standard.
Disable scripts and surf more securely–don’t frequent sites that require scripts to display. And, of course, complain at sites that use scripts… they all think they know more than we do.
@Janet:
To check your current version of Java, simply go to the Control Panel, double-click on the Java Icon, and click on “About”.
Just so you know, you can also check your current version of Adobe Flash Player by also going to the Control Panel, double-clicking on the Flash Player icon, selecting the Advanced tab, and clicking on “Check Now”.
I hope this helps.
Thanks to those above who answered my concerns as to whether Java R6 is considered safe from this exploit.
I sure wonder why the article seems to indicate that Linux machines (by that I mean “root”) would be vulnerable to this exploit, no matter how it were to be reworked. Not much is able to get past the security Linux has built in.
@Ebo: Java and Adobe Flash are targeted not only because practically every machine has it but probably because of the lack of updates. Someone finds an exploit and often some considerable time has passed before it’s patched. *cough* adobe reader *cough* :)
I have Java 7 Update 5. What are all you guys doing? Disabling? How do you do that? Won’t an awful lot of web sites not work…?
You don’t need Java for OpenOffice (http://www.openoffice.org/download/common/java.html), JDownloader (it downloads its own into “C:\Program Files (x86)\JDownloader” on install w/o Java), and most to virtually all websites.
In fact, when I got my new computer, I didn’t bother installing Java. Got zero problems.
This looks like something the NoScript extension (in Firefox) would prevent – it blocks all scripts from running, lets you allow them by site. So your trusted sites still work, and others you can see what script needs to run, research it on the web (or middle-click to see WOT, Google and other ratings of the questioned site). Then you decide to allow always, one time, or not at all.
If you simply disable the Java plugin in Firefox, you can’t even post a comment on DotTech. I just tried!
@Mr.Dave: The problem with NoScript is hacked websites within your whitelist. Sure it can prevent XSS, but that isn’t perfect.
@Zapped Sparky: Actually, that’s a meme, and Java updates aren’t that infrequent. If this were really the case, then we’d see more browser-based exploits. But browsers are subject to ASLR, which is why browser-based exploits generally only work on XP and earlier, even if it takes months to patch a vuln. No, my original statement stands. :)
@Eric: JavaScript and Java Runtime are not the same thing. You don’t have to disable JS.
@Ebo:
So what DO you disable and how…..(I have IE8–no Firefox, no Chrome, etc.)….?
Current useful info:
http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html
@Janet: Here you go: http://www.geek.com/articles/chips/how-to-disable-java-on-everything-20120828/
Oracle has released Java 7u7 which (I believe) includes the fix for this exploit.
update via your usual methods, or you can get it via following page
http://www.oracle.com/technetwork/java/javase/downloads/index.html
They also release Java 6u35 at the same time which you can get via that same page
(for those of us not quite ready to go back to Java 7 at the moment ;-))
@Grantwhy: It does include the fix: http://osxdaily.com/2012/08/30/java-se-7u7-update-fixes-security-issue/
@Peter:
I was wrong about not being able to reply to comments. NoScript was what was preventing that. NoScript seems to interfere with the normal function of almost all sites unless you put them in your whitelist or whatever.