Unpatched Vulnerability In Oracle Java Version 7 (aka 1.7)
On August 27, 2012 security researchers reported an unpatched vulnerability in Oracle Java version 7 (aka 1.7). Oracle typically relases Java patches every three months, with the next scheduled for October 2012.
Browsing the web with a vulnerable version of Java JRE installed means that simply visiting a website is enough for an attacker to compromise your computer. This is known as a "drive-by download".
While "safe browsing" to only trusted websites may limit your exposure to drive-by downloads it does not address the underlying vulnerability and prevent exploitation. Please see "UISO Recommendations" and "Workarounds" below for further steps that must be taken.
The malicious software installed through these attacks will collect usernames and passwords used on the compromised computer, including credentials for sensitive websites, bank accounts, email etc.
All versions of Oracle Java JRE 7 (aka 1.7) from the initial release up through update 6 are vulnerable.
Old versions of Java JRE, including Java version 6 (aka 1.6), are not vulnerable. Default installations of Mac OS X 10.8 Mountain Lion and 10.7 Lion are not vulnerable.
Using network sensors, the University Information Security Office (UISO) monitors the network for hosts with vulnerable versions of Java being exploited by drive-by downloads to install fake antivirus software and rootkits. This activity is expected to increase in the coming weeks. UISO does block this activity when we observe it on the network.
When a patch is made available, UISO will leverage Secunia Personal Software Inspector (PSI) to notify individual system owners of vulnerable versions of Java on Windows operating systems.
- Regularly check for, update, and remove old versions of Java.
- Don't click on web popups, but close the window instead. If they won't close, open your process list and force your browser to close.
- You can verify your software is up to date by installing Secunia Personal Software Inspector on hosts running the Windows operating system and patching any of the vulnerable software it finds.
- Local Support Providers can remotely install Java updates using the Shavlik NetChk Protect product available from IUware.
The UISO is aware of Java patches created by third-parties and does not endorse these patches.
Disable Java. This workaround may prevent certain websites from working correctly.
Install the Microsoft Enhanced Mitigation Experience Toolkit (EMET) and configure it to protect Java.