Java 7 Zero Day Vulnerability

Earlier this week infosec researcher Esteban Guillardoy unveiled details of an unpatched vulnerability for Oracle’s Java 7 software. This vulnerability is being actively exploited in the wild and has been implemented in various exploit toolkits such as Metasploit and BlackHole. Moreover, according to Guillardoy, exploits for this vulnerability are typically 100% reliable. This certainly got my attention, because from my experience many vulnerabilities require specific configuration settings or a particular scenario in order to be reliably exploitable. So, this is a big deal especially given the fact that Java 7 is estimated to be installed on upwards of 1 billion devices.

To make matters worse, Oracle currently has no plans to patch the vulnerability until October 2012. And even once a patch is made available it will likely be years before a significant majority of devices get updated. That means this vulnerability will likely be a primary target of attacks for years to come. This vulnerability is most likely to be exploited remotely by a malicious website if the user’s browser is configured to run Java automatically. Because of this we can expect to see drive by infection of systems as users access malicious sites unintentionally, most likely from malicious iframes on compromised websites. Malicious banner ads are another likely source of infection.

Given that no patch is expected until October, the following remediation options are recommended:

  1. Determine if your browser is vulnerable by going to http://www.isjavaexploitable.com
  2. Remove Java 7 if it is not needed on your device
  3. Downgrade to Java 6 if Java is required and your application supports Java 6
  4. Remove the Java plugin from your browsers if  you do not use any Java web-based applications, but need it for non-web applications like OpenOffice
  5. If you use Firefox, install Noscript to block Java from running when accessing untrusted site

 

One Response to “Java 7 Zero Day Vulnerability”

  1. Mark Baldwin says:

    This just in. Oracle is releasing an out of cycle patch to address this vulnerability.

    http://reviews.cnet.com/8301-13727_7-57503787-263/oracle-patches-java-7-vulnerability/

Leave a Reply

Your email address will not be published. Required fields are marked *