New Java plug-in vulnerability being exploited. Disable Java Now!
August 29, 2012
Over the last few days I have learned about a brand new vulnerability in Oracle's Java virtual machine. This is an unpatched zero day exploit and it has just been added to the infamous BlackHole Exploit Kit. The next scheduled Java update is in mid-October! If you have Java installed, you're in danger right now.
The version of Java that is targeted by this new exploit is the latest: Java 7 (actually, 1.7, 1.7.0). Interestingly, there is another current version of Java in the old series 6: Java/JRE 6 Update 34 - which is not vulnerable to this particular attack vector! So, if you check your installed programs and plug-ins, and find the you do have Java 6 Update 34 and no other older or newer version or series, you can probably slide by for a little while (until the next patches are released in October).
But, if you do have Java 7 (1.7.1.7.0), you are vulnerable and need to take some preventative action. First of all, the exploit affects all browsers and all operating systems. It doesn't matter if you browse with Google Chrome on Linux; you can be exploited if you encounter a server targeting Linux computers in the exploit kit. Ditto for Macs. Windows users are the primary fish in the malware ocean and are always at risk.
What you can do now.
Two word answer: UNINSTALL JAVA
If you use a productivity program like Open Office, or a custom application which requires Java, but is not run inside a web browser, you can at least disable any Java "plug-ins" for all of your installed browsers. Every browser has a means of enabling, disabling, installing and uninstalling plug-ins. Search your browsers' options, or read the instructions on this page.
If you must keep Java enabled to run important programs, try to keep those computers off the Internet. If no can do, consider reducing their accounts to least privileged accounts (e.g. Limited User). I have published several blog articles and web pages about operating with reduced user privileges. Use my blog's search box, or see the popular posts section for this info.
It is hoped that Oracle will hurry up and release a patch before October. If and when they do, you can decide if you still want to use Java and install the newer version. I have uninstalled Java and Java plug-ins from all of my computers and have not had anything important fail to run. Each brand of browser has its own system for managing add-ons, extensions and plug-ins, like Java.
Another way you can protect your computers from Java exploit kits is by disabling "JavaScript." The NoScript plug-in for Firefox and ScriptNo for Chrome are the foremost JavaScript and Java blockers. They are available from the add-ons repository accessible from the Firefox "Tools" > "Add-Ons" page, or Google Chrome's "Settings" > "Extensions." Both block these technologies by default, unless you allow them on a per page or per website basis.
Java and JavaScript are two entirely different technologies, not to be confused. JavaScript is written in plain text commands that are interpreted by web browsers. They create drop down navigation menus and mouse over effects, among other neat functions and popup boxes and alerts. Java is a compiled program, typically served as an "applet" that can run in a browser, or on your computer desktop. It is a mini program.
FYI: Java exploits are usually delivered via spam email, using obfuscated links that lead to compromised websites. These websites are either hosting or redirecting victims to other remote servers that contain the exploit code, which runs on JavaScript. If you are lured there and have JavaScript disabled (by NoScript, or restricted browser settings), nothing will happen. So, although Java and JavaScript are different, they are used together by criminals to take over computers and make them members of spam and DDoS attack botnets. Most also get a banking Trojan installed, to empty their owner's bank accounts if they do online banking.
Recap:
Protect your computers from Java exploit attack kits by using the NoScript or ScriptNo add-ons, operate as a less privileged user, not an administrator, disable Java plug-ins for your browsers, or ... uninstall Java completely (all versions)!
For Windows computer users, uninstall Java via Start > (Settings) Control Panel > "Add/Remove Programs" - or - "Programs > Uninstall a program". Uninstall all versions shown in the list, then reboot.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.