Computer Security Warning: Java's Zero Day Vulnerability

by: bubbanomics

Fri Jan 11, 2013 at 15:06:42 PM EST

I came across this tidbit reading the news today.  Sounds pretty scary, so I will rattle your cyber cages with it.

Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Pretty much every web browser in common use allows websites you visit to run programs written in Java.  Most of these programs provide dynamic content and such, but some are malicious.  Java contains a vulnerability called Zero Day that is apparently bad enough that Homeland Security recommends you disable Java in your web browser:

Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.

We are currently unaware of a practical solution to this problem. Please consider the following workarounds:

Disable Java in web browsers

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.
Note: Due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executing javacpl.exe manually. This file is likely to be found in C:Program FilesJavajre7bin or C:Program Files (x86)Javajre7bin.
Also note that we have encountered situations where Java will crash if it has been disabled in the web browser as described above and then subsequently re-enabled. Reinstalling Java appears to correct this situation.

I found this info through a ZDNet article.

If you're using Firefox on windows, you can go to the Tools->Add-Ons menu.  I've disabled Java in the Extensions and Plug-Ins.  If you use IE, you'll have to go to the control panel and disable it through the Java console there.

If somebody finds out that my follicles are aflame, I will delete this post and get back to laughing.

I'm gonna call out to JanF and Chris Blask, both of whom know more about this stuff than do I.

bubbanomics :: Computer Security Warning: Java's Zero Day Vulnerability
Tags: , , , , (All Tags)
Print Friendly View Send As Email

Yikes, (2.00 / 15)
thanks for this bubba, I'll be curious to hear others chime in. FWIW I haven't updated my Java in a while because I always seem to have a problem when I do. If I come across something that says I need to update my Java to see it, I just say fuck it and move on. :)

Shake it like a Polaroid picture.

So, who do we worry about more: (2.00 / 12)
hackers, Anonymous, or the fascist police state.
Inquiring minds want to know.

I am for the individual over government, government over big business and the environment over all. -- William O. Douglas

That's easy, ITSCS. (1.91 / 11)
all of them. !!!!!

Shake it like a Polaroid picture.

[ Parent ]
Chrome users (2.00 / 12)
Settings> Settings> Advanced Settings> Privacy> Content Settings> scroll down to Java script.

Raina, "javascript" is not the problem. (2.00 / 10)
Java is the problem.  From the CERT Doc I referenced in my post:
Chrome: See the "Disable specific plug-ins" section of the Chrome documentation for how to disable Java in Chrome. By default, Chrome will group plug-ins, so clicking "disable" for Java will disable both the Java plug-in and the Java Deployment Toolkit plug-in. However, if you click "Details" to expand the display of plug-ins, be sure to disable both the Java plug-in and the Java Deployment Toolkit plug-ins.

[ Parent ]
Glad you diaried this! (2.00 / 11)
It appears that this exploit is in the wild and affects Windows, Mac, and Linux based operating systems.  It also appears that running anti-virus software or firewalls will not prevent this issue from affecting you.  The most likely way of being impacted by this virus is through your web browser.  If you are using Firefox to access the web, it appears that No-Script may provide some protection from this exploit.

Disabling the Java plug-in for your web browser will make you less vulnerable.  This document from CERT can tell you how to disable Java in your browser:

The top of the web page described the situation.  The section marked "Solution" is where you want to pay attention and follow the instructions.

Not to sound too alarmist here, but please read this quote from UK's The Register:

"The beauty of this bug class is that it provides 100 per cent reliability and is multi-platform," Esteban Guillardoy, a researcher at Argentina-based security outfit Immunity explains in a technically detailed blog post here.

Thanks for this. I just disabled Java on my Mac. eom (2.00 / 9)

"I base most of my fashion sense on whether or not it itches"  -- Gilda Radner

[ Parent ]
did disabling have any effects on performance? (2.00 / 8)
just curious

Earth is the best vacation place for advanced clowns. --Gary Busey

[ Parent ]
It did for me.... (2.00 / 9)
I stopped by my computer guy's office with my Dell lap top (Window's 7 and Chrome), he read the post, disabled Java...and YouTube wouldn't work. The video's will play without it but other info (history, my channels, favorites) was not there. I can't have that, so Java is back on, with a cautionary note from him to be careful where I go browsing around.

Here's Justin himself.....

Love is the lasting legacy of our lives

[ Parent ]
thanks for the info! (2.00 / 8)

Earth is the best vacation place for advanced clowns. --Gary Busey

[ Parent ]
If all you have do on the laptop is browse the web... (2.00 / 12)
... then cool.  Otherwise, his cautionary note should be similar to insuring safe sex by making sure that all partners are wearing wetsuits.  This exploit seems to violate the rules under which Java was designed.  The "sandbox" Java runs in was never supposed to allow for interaction with the host operating system the way this exploit taking place.

To give you an idea of how careful you have to be.  This page is actually running code from 14 other web sites - you wouldn't know it without looking at the scripts used to generate the page.  Safe browsing would mean that you trust not only the site you go to, but also all of the sites that the visible site is accepting code from.  If one of those sites is compromised, you're hosed.

Something this important will force Oracle, the company that owns Java, to put out a patch very quickly.  That patch will be tested by thousands of people before it gets to you.  I'd personally do without YouTube's bells and whistles for a few hours or days than risk giving someone unfettered access to my system.

[ Parent ]
Wow. Just... wow. (2.00 / 4)
I went to undergrad in a kind of IT/business management mix of a program and admitted that I SUCKED at it so I promptly went to law school and now practice in criminal law, where the most dangerous things, rather than computer viruses, are cranky strung-out clients with AR-15s. :) (I haz jokes!)

So, I get the terminology but not the individual coding stuff and this kind of exploit strikes me as potentially a BFD for Java.  We're a Mac household and Apple has always been very skeptical about allowing Java onto portable devices at all on account of memory leaks but also security - I am beginning to see why.  Like you say, this is not how sandboxing is supposed to work.  It strikes me that browsers and operating systems have been all but forced to delegate more and more responsibility (and access) to these sorts of third-party processes and a Java vulnerability could do a lot of damage if exploited by sophisticated bad guys.

So few exploits affect Macs, too, so after my parents made the switch after I did in '04, this has not commonly been something I've had to address.  I rarely venture outside of my normal circle of websites but I'll have to turn java off in Safari on my parents' MacBooks; hell, I never use YouTube unless linked to it so maybe I'll do so here as well until this resolves.

[ Parent ]
Which is too bad, because you will have to wait to see this: (2.00 / 2)


John Askren - "Never get into a pissing match with a skunk."

[ Parent ]
LOL (2.00 / 2)
Just sent the link to a friend whose elderly PC crashed and who has at long last bought a Mac and is now learning to compute all over again.

I don't believe she's torn out ALL of her hair yet.

If it were done when 'tis done, then 'twere well it were done subjunctively.

[ Parent ]
We have one Mac at home. (2.00 / 2)
It crashes in all sorts of delicious ways.

They aren't particularly better or worse than each other, but for now I am canalized enough to be happier with Windows. I'm OK with Mac if I can get a command line and be happy in Linux, but the interface is forever boggling me as to where the *&^% anything is.

John Askren - "Never get into a pissing match with a skunk."

[ Parent ]
The only thing I've noticed is a problem with YouTube but it's not (2.00 / 6)
a site I visit very often.  A couple of folks sent a YouTube video via e-mail and neither of the links would open.  No biggie at this point.

"I base most of my fashion sense on whether or not it itches"  -- Gilda Radner

[ Parent ]
Some info fron CNET (2.00 / 7)

A new Trojan horse called Mal/JavaJar-B has been found that exploits a vulnerability in Oracle's Java 7 and affects even the latest version of the runtime (7u10).

The exploit has been described by Sophos as a zero-day attack since it has been found being actively used in malware before developers have had a chance to investigate and patch it. The exploit is currently under review at the National Vulnerability Database and has been given an ID number CVE-2013-0422, where it is still described as relatively unknown:

"Unspecified vulnerability in Oracle Java 7 Update 10 and earlier allows remote attackers to execute arbitrary code via unknown vectors, possibly related to "permissions of certain Java classes," as exploited in the wild in January 2013, and as demonstrated by Blackhole and Nuclear Pack."
The malware has currently been seen attacking Windows, Linux and Unix systems, and while so far has not focused on OS X, may be able to do so given OS X is largely similar to Unix and Java is cross-platform. Additionally, the exploit is currently being distributed in the competing exploit kits "Blackhole" and "NuclearPack," making it far more convenient to criminal malware developers to use.

Even though the exploit has not been seen in OS X, Apple has taken steps to block it by issuing an update to its built-in XProtect system to block the current version of the Java 7 runtime and require users install an as of yet unreleased version of the Java runtime (release b19). Additionally, the U.S. Department of Defense has issued an advisory to disable Java on systems that have it installed.

Earth is the best vacation place for advanced clowns. --Gary Busey

Zero day attacks are the worst. (2.00 / 8)
No one is ready for them because they indicate that some knothead found a new way to worm into trusted software to pass on a virus.

The most famous one was the ILOVEYOU virus that started in an email addressed to people saying that "[person who you know] loves you". Who wouldn't click on that? That one wiped out all of a network's image files. Another one hit in February 2009 and slowly destroyed operating systems. All computers impacted had to be rebuilt from scratch.

My anti-virus provider, Trend Micro, tells me that the Day Zero for this exploit was actually yesterday and their pushed patch from this morning protects computers using their server based software.

Java controls its own updating and installation on people's computers and I hope that Oracle at least shuts down the automatic update.

Words have meaning. Our words will reflect what is in our souls.

And Oracle is kind of a leaky sieve, apparently. (2.00 / 10)
I went to my Bing™ and found this article ... from August of 2012:
Oracle Corp. repaired bugs in its widely used Java software on Thursday, several days after several computer security experts found flaws that they said opened PCs to attacks by hackers.

Warnings about the bugs began emerging over the weekend, unnerving businesses and consumers scrambling to fend off growing threats from computer viruses that are able to evade anti-virus software.

This is a dilemma because if you don't run Java certain web features don't work. You can't just turn off updates because if you don't update Java, an older version may have more vulnerabilities if it remains unpatched.

Java is free software to end-users but they need to respect that their product has been invited onto people's computers and take better precautions. Two attacks in less than 6 months in unacceptable.

Words have meaning. Our words will reflect what is in our souls.

[ Parent ]
It sounds like Oracle is now planning on releasing a fix for this problem... (2.00 / 7)
... on Tuesday, January 15.  So please make sure you take the appropriate precautions until at least Tuesday.  Just as an FYI, the patch that Oracle is planning on releasing will contain fixes for 86 known security issues with the current release of Java.

[ Parent ]
I am pretty sure that I would NOT want to be the first person loading that. (2.00 / 5)
My recommendation would be to wait until the end of the week before you install the patch. Early adopters are going to be beta testing this fix.

Words have meaning. Our words will reflect what is in our souls.

[ Parent ]
Generally speaking, (2.00 / 6)
I don't call out the average user to worry about shit like this.

There isn't much the average user can do to fight off the Evil Hacker. Keep automatic updates on, run some reasonable security software if it makes you feel better, and go about your business. For something like this you are aware of, try to follow the advice offered if possible but don't lose your minds over it.

There will always be a new Zero Day popping over the horizon - once it is known. In the meantime there will be -Zero Days that folks are not yet aware of out there doing terrible things. "Drive By" hacks like this - hacks embedded in websites unbeknownst to the site owner - are common.

As Hey says, "safe browsing" is largely impossible just due to the interlinkages of sites these days. It is easy to point to porn sites or other "disreputable" pages as good places to pick up the clap, but your favorite sporting fan site isn't any more likely to be hypervigilant than a (and less likely than most) porn sites.'

John Askren - "Never get into a pissing match with a skunk."

A couple of years ago, Photobucket failed to do due diligence (2.00 / 5)
on their ad partners and one of their cycled ads had a virus in it. Some of the Pootie people who had out of date anti-virus programs (or none [insert shock emoticon here]) were down for several days as many of them had to have their computers fumigated or rebuilt.

Computer users will always download stuff they shouldn't, thinking it will be fun or useful (coupon programs, protect-your-pc-now). You can't stop them unless you put their browser into nanny-mode. Most users hate that so the best you can do is protect against the worst damage and hope that common sense will prevail.

Words have meaning. Our words will reflect what is in our souls.

[ Parent ]
this one seemed different to me... (2.00 / 4)
I can't recall seeing DHS ask people to disable something.

[ Parent ]
Last year the DHS actually blocked a malicious web site. (2.00 / 4)
The Obama administration seems to be pretty proactive on this stuff. Probably because Democrats understand that the Internet is not a "series of tubes" but is vital infrastructure that commerce depends on.

Words have meaning. Our words will reflect what is in our souls.

[ Parent ]
DHS is struggling with information sharing, (2.00 / 4)
but they are making progress. US-CERT and ICS-CERT issue a fair number of notices, in the ICS (Industrial Control System) space pretty well all of them indicate pretty drastic stuff that can be done to systems (executing arbitrary code). While I would never encourage anyone not to take whatever steps they can which are contained in notices from the CERTs and other sources, for the average personal computer user I tend more often to try to calm people's fears and recommend that they just do what they reasonably can. The reality is that the overwhelming majority will neither be aware of these notices nor able to understand or do anything with them, and the overall impact of people panicking is usually going to be worse than doing nothing more than making sure they get the updates that vendors create to address such vulnerabilities.

One of the hats I wear is as Chair of the ICS-ISAC (Industrial Control System Information Sharing and Analysis Center), a private-sector counterpart to public sector entities like ICS-CERT. I've been at this security stuff for a long time, and as in my political views find that the best path the majority of the time is to push progress where possible that effects the greatest good.

FUD (Fear, Uncertainty and Doubt) is used by many in political as well as security circumstances who honestly wish to effect such change - enough so that a certain amount of aggregate pressure is maintained, which is itself a good thing - which allows me to take the position I prefer.

Most people - whether personal users, enterprises or industrial asset owners - will never be capable of staying as actively informed about security risks and threats. Fortunately, the continued existence and on-average successful operation of these systems indicates that to date we have managed to do enough of the right things so they don't have to.

The challenge is not to make the world so that every person has to maintain eternal active diligence (of personal or electronic security), but to keep advancing the mechanisms that provide an infrastructure which does it for them. If we ever reach a point where every person has to know all these things in order to keep the infrastructure working it will fail, because life isn't (and should be) like that.

Really no different than the "every teacher needs a gun" topic. If in fact that was the case we have already failed, because that will simply not work, and such a world is already not the one we want to live in.

John Askren - "Never get into a pissing match with a skunk."

[ Parent ]
Thank you so much for this timely discussion, bubba and everyone (2.00 / 5)
Java platform is disabled. Hope that is enough to keep things safe.

I'm an idjit when it comes to all things tech and can't thank you all enough for sharing your expertise in such things.

Woops! Looks like Firefox had already disabled Java (2.00 / 5)
 so that if you go in to disable it yourself you end up enabling it again.

Does that make sense? I think that really needs to get cleared up otherwise Firefox users will be doing themselves in if they don't realize that Firefox has already disabled Java Platform for them.  

[ Parent ]
What I got (2.00 / 5)
when I went into Firefox to disable Java was a red-letter warning on the listed Java Platform plug-in that there was vulnerability.  Oddly enough, on my Win7 laptop and desktop the Java Platform was disabled but the Toolkit was not (I did that manually); on the XP computer neither was disabled till I clicked the button.

If it were done when 'tis done, then 'twere well it were done subjunctively.

[ Parent ]
Update: For folks following this, Microsoft has a patch for Windows: All Versions. (2.00 / 3)
An out-of-band security patch is being released to address problems in all versions of Internet Explorer (6 through 9). Computers which have automatic updates set will pick up these updates tomorrow, January 14. If you don't have automatic updates turned on you should obtain the updates manually.

Normally, Microsoft issues patches on Microsoft Patch Tuesday which is the 2nd Tuesday of the month. This month it was the 8th.

An out-of-band security patch is a BHD and indicates the level of Microsoft's concern.  

Microsoft will host a webcast to address customer questions on the out-of-band security bulletin on January 14, 2013, at 1:00 PM Pacific Time (US & Canada).

Words have meaning. Our words will reflect what is in our souls.


Advanced Search

Make a New Account



Forget your username or password?

Blog Roll
Angry Bear
Angry Black Lady
Balloon Juice
Black Kos
Booman Tribune
Charles P. Pierce
Crooks and Liars
Daily Kos
Five Thirty Eight
Huffington Post
Juan Cole
Maddow Blog
P.M. Carpenter
Political Wire
Scholars & Rogues
Stonekettle Station
Talking Points Memo
The Field
Washington Monthly
Moose With Blogs
Canadian Gal
Charles Lemos
Cheryl Kopec
Curtis Walker
Douglas Watts
Hubie Stubert
Intrepid Liberal
John Allen
National Gadfly
Peter Jukes
Senate Guru
Zachary Karabell

Back to Top

Posting Guidelines  |  FAQ  |  Privacy Policy  |  Contact the Moose  |  Contact Congress
Powered by: SoapBlox