Background

On August 27, 2012 security researchers reported an unpatched vulnerability in Oracle Java version 7 (aka 1.7).  Oracle typically relases Java patches every three months, with the next scheduled for October 2012. 

Impact

Browsing the web with a vulnerable version of Java JRE installed means that simply visiting a website is enough for an attacker to compromise your computer. This is known as a "drive-by download".

While "safe browsing" to only trusted websites may limit your exposure to drive-by downloads it does not address the underlying vulnerability and prevent exploitation. Please see "UISO Recommendations" and "Workarounds" below for further steps that must be taken.

The malicious software installed through these attacks will collect usernames and passwords used on the compromised computer, including credentials for sensitive websites, bank accounts, email etc.

Platforms Affected

All versions of Oracle Java JRE 7 (aka 1.7) from the initial release up through update 6 are vulnerable.

Old versions of Java JRE, including Java version 6 (aka 1.6), are not vulnerable.  Default installations of Mac OS X 10.8 Mountain Lion and 10.7 Lion are not vulnerable.

UISO Response

Using network sensors, the University Information Security Office (UISO) monitors the network for hosts with vulnerable versions of Java being exploited by drive-by downloads to install fake antivirus software and rootkits. This activity is expected to increase in the coming weeks. UISO does block this activity when we observe it on the network.

When a patch is made available, UISO will leverage Secunia Personal Software Inspector (PSI) to notify individual system owners of vulnerable versions of Java on Windows operating systems.

UISO Recommendations

• Regularly check for, update, and remove old versions of Java.
• Don't click on web popups, but close the window instead. If they won't close, open your process list and force your browser to close.
• You can verify your software is up to date by installing&nbs