New Java 7 exploit allows hackers to install malware on Windows, Mac OS X, and Linux; only fix currently is to disable Java

Perhaps due to their high market penetration, or maybe because of poor coding, Adobe Flash and Java have emerged as the two most widely attacked platforms on Windows, Mac OS X, and Linux alike. Indeed Adobe just recently patched a new Flash vulnerability, and now it is Java’s turn.

A new Java 7 (also known as Java 1.7) exploit has been discovered that allows hackers to install malware on Windows, Mac OS X, and Linux machines. According to reports, in-the-wild attacks using this exploit are currently only targeting Windows but the exploit can be easily reworked for Mac OS X and Linux machines that have the latest version of Java installed. The exploit allows hackers to gain access to infected computers and execute malicious outside of Java. Of the attacks discovered so far, the attack vector has been infected websites and the attacks have installed Poison Ivy Remote Access Trojan on infected machines.

What is remarkable about this exploit is it circumvents Java’s security sandbox, a feature of Java that is supposed to restrict malicious Java code to just Java and not allow access to other parts of your system. So much for that.

Oracle has yet to respond to news of this new exploit; thus, this bug has not been patched (aside from an unofficial patch that you can request from two security researchers — it isn’t recommended that you go for the unofficial patch because it can cause instabilities) and there is no time frame on when a patch will be released. The next scheduled Java patch is for mid October so unless Oracle introduces an emergency update, the earliest possible this will get fixed is October. Until this is fixed, security experts are suggesting users uninstall Java, if you don’t use Java for any programs (such as OpenOffice). If you do use Java, then at least disable Java in your browser to protect yourself from drive-by attacks. If you don’t want to disable Java at all, you can downgrade to an earlier version of Java to protect yourself from this particular exploit but downgrading is not recommended because earlier versions of Java have their own problems.

[via ArsTechnica | Image via Joelk75]

Related Posts

  • Eric

    I was wrong about not being able to reply to comments. NoScript was what was preventing that. NoScript seems to interfere with the normal function of almost all sites unless you put them in your whitelist or whatever.

  • Ebo
  • Grantwhy

    Oracle has released Java 7u7 which (I believe) includes the fix for this exploit.

    update via your usual methods, or you can get it via following page

    They also release Java 6u35 at the same time which you can get via that same page
    (for those of us not quite ready to go back to Java 7 at the moment ;-))

  • Ebo
  • Janet
  • Janet


    So what DO you disable and how…..(I have IE8–no Firefox, no Chrome, etc.)….?

  • Ebo

    @Eric: JavaScript and Java Runtime are not the same thing. You don’t have to disable JS.

  • Ebo

    @Zapped Sparky: Actually, that’s a meme, and Java updates aren’t that infrequent. If this were really the case, then we’d see more browser-based exploits. But browsers are subject to ASLR, which is why browser-based exploits generally only work on XP and earlier, even if it takes months to patch a vuln. No, my original statement stands. :)

  • J.L.

    @Mr.Dave: The problem with NoScript is hacked websites within your whitelist. Sure it can prevent XSS, but that isn’t perfect.

  • Mr.Dave

    This looks like something the NoScript extension (in Firefox) would prevent – it blocks all scripts from running, lets you allow them by site. So your trusted sites still work, and others you can see what script needs to run, research it on the web (or middle-click to see WOT, Google and other ratings of the questioned site). Then you decide to allow always, one time, or not at all.

    If you simply disable the Java plugin in Firefox, you can’t even post a comment on DotTech. I just tried!

  • J.L.

    You don’t need Java for OpenOffice (, JDownloader (it downloads its own into “C:\Program Files (x86)\JDownloader” on install w/o Java), and most to virtually all websites.

    In fact, when I got my new computer, I didn’t bother installing Java. Got zero problems.

  • Janet

    I have Java 7 Update 5. What are all you guys doing? Disabling? How do you do that? Won’t an awful lot of web sites not work…?

  • Zapped Sparky

    @Ebo: Java and Adobe Flash are targeted not only because practically every machine has it but probably because of the lack of updates. Someone finds an exploit and often some considerable time has passed before it’s patched. *cough* adobe reader *cough* :)

  • AFPhys

    Thanks to those above who answered my concerns as to whether Java R6 is considered safe from this exploit.

    I sure wonder why the article seems to indicate that Linux machines (by that I mean “root”) would be vulnerable to this exploit, no matter how it were to be reworked. Not much is able to get past the security Linux has built in.

  • DMC


    To check your current version of Java, simply go to the Control Panel, double-click on the Java Icon, and click on “About”.

    Just so you know, you can also check your current version of Adobe Flash Player by also going to the Control Panel, double-clicking on the Flash Player icon, selecting the Advanced tab, and clicking on “Check Now”.

    I hope this helps.

  • DoktorThomas

    What can one say about “scheduled” security up-dates?
    Morpheus says don’t ask the Oracle, or Adobe.
    Big IT seems to be the weakest security point in contemporary PC-ing; apparently the lion share of their resources go to fat corporate management and crumbs to R&D. That is the current industry standard.
    Disable scripts and surf more securely–don’t frequent sites that require scripts to display. And, of course, complain at sites that use scripts… they all think they know more than we do.

  • Grantwhy

    we can get the latest Java 6 releases from the following page (scroll down about 1/3rd of the page)

    Java 6 is still being updated (current version – at time of posting – is 6u34 which was released at the same time as Java 7u6)

  • Relax

    FWIW, Java’s V.6 is unaffected by this and most AV’s will protect against it as well.

  • Eric

    Don’t know about FX 2.1 but (random, scary link you probably don’t want to click on) will tell you what version of Java you are using. I got that link from MajorGeeks here (not as scary link)
    Sorry Ashraf if I am not supposed to post links. I didn’t see anything telling me not to.

  • Janet

    How do we know if we have Java 7? Is that the folder jre7?

    Is Java [7] different from Java[FX 2.1] Runtime?

  • Eric

    Thanks Peter. There is a problem though. I couldn’t even reply to this comment without re-enabling javascript so how did you do it?

  • Peter

    @Eric: better disable the java plugin.
    Press Ctrl-Shift-A, select “plugins” and click on the appropriate “Disable”-buttons.

  • Eric

    And I just upgraded to Java 7 last week and started using the java based Jdownloader yesterday. Just my luck! I guess Noscript will at least keep Firefox safe, right?

  • Ebo

    The reason Java and Adobe Flash are so frequently exploited is because they are the two most widely used, Internet-facing platforms that don’t use ASLR, and so they are the the most reliable attack vectors. If an exploit works once, then it will likely continue to work as expected – barring aftermarket variables like heuristic detection, IPS detection, etc. – until patches are released and deployed.