Alert (TA12-240A)
Oracle Java 7 Security Manager Bypass Vulnerability
Systems Affected
Any system using Oracle Java 7 (1.7, 1.7.0) including
- Java Platform Standard Edition 7 (Java SE 7)
- Java SE Development Kit (JDK 7)
- Java SE Runtime Environment (JRE 7)
- OpenJDK 7 and 7u
IcedTea 2.3.0 (based on OpenJDK 7) is also affected.
Web browsers using the Java 7 plug-in are at high risk.
Overview
A vulnerability in the way Java 7 restricts the permissions of Java applets could allow an attacker to execute arbitrary commands on a vulnerable system.
Description
A vulnerability in the Java Security Manager allows a Java applet to grant itself permission to execute arbitrary code. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious applet.
Any web browser using the Java 7 plug-in is affected. The Java Deployment Toolkit plug-in and Java Web Start can also be used as attack vectors.
Reports indicate this vulnerability is being actively exploited, and exploit code is publicly available.
Further technical details are available in Vulnerability Note VU#636312.
Impact
By convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process.
Solution
Update Java
This and other vulnerabilities are addressed by Java 7 Update 7. Please see Oracle Security Alert for CVE-2012-4681 for more information.
This vulnerability is addressed in IcedTea 2.3.1.
Reports indicate that other vulnerabilities remain after updating Java to Update 7.
Disable the Java plug-in, Java Deployment Toolkit, and Java Web Start functionality
To protect against this and future vulnerabilities, consider disabling the Java plug-in, Java Deployment Toolkit, and Java Web Start functionality. There are multiple ways to invoke Java in different web browsers and operating systems, and it can be difficult to completely disable browser support for Java. Check the Solution section of VU#636312 for up-to-date information.
Here are instructions for several common web browsers. Take care to disable both the Java and Java Deployment Toolkit plug-ins and, if necessary, disable Java Web Start by breaking JNLP handling.
- Apple Safari: How to disable the Java web plug-in in Safari, disable "Open 'safe' files after downloading"
- Mozilla Firefox: How to turn off Java applets
- Google Chrome: See the "Disable specific plug-ins" section of the Chrome plug-ins documentation.
- Microsoft Internet Explorer: Disabling Java in Internet
Explorer is significantly more complicated than with other browsers. Please see
the instructions
in VU#636312.
Downgrade to Java 6
Consider uninstalling Java 7 and using Java 6.
Use NoScript
NoScript is a browser extension for Mozilla Firefox browsers that provides options to block Java applets.
References
- Vulnerability Note VU#636312
- Oracle Security Alert for CVE-2012-4681
- Let's start the week with a new Java 0-day in Metasploit
- Zero-Day Season is Not Over Yet
- http://pastie.org/4594319
- Java 7 0-Day vulnerability information and mitigation.
- The Security Manager
- How to disable the Java web plug-in in Safari
- How to turn off Java applets
- NoScript
- Vulnerability Summary for CVE-2012-4681
- Update Release Notes: Changes in 1.7.0_07
- SE-2012-01 Frequently Asked Questions
- New security issue affecting Java SE 7 Update 7
- Securing Your Web Browser
Revision History
- August 27, 2012: Initial release
- August 30, 2012: Added fix information for Java 7 Update 7, pointed to VU#636312 to disable IE Java Plug-in
- September 05, 2012: Expanded mitigation advice to cover new attack vectors, added IcedTea information
This product is provided subject to this Notification and this Privacy & Use policy.
