Sophos Cloud Optix
Out of nowhere Oracle has released an emergency update to address the zero-day vulnerabilities being exploited by many different criminal groups.
Surprisingly they included some previously unknown vulnerabilities that we can only assume may also have been in use in the wild.
The good news is customers who require Java in their environments can now deploy an official fix and proceed with less risk. The bad news is one of the fixes they shipped out affects Java 6, so everyone needs to patch, not just those who were running Java 7.
Oracle officially fixed four CVEs, presumably covering five vulnerabilities. It appears that CVE 2012-4681 was actually two vulnerabilities, so it is difficult to tell for sure if they patched four or five flaws.
The first three only affect Java 7 and all have a CVSS score of 10, meaning they are remotely exploitable and result in code execution. That’s as bad as it gets, folks.
The fourth affects both Java 6 and Java 7, but by itself does not result in code execution. Oracle have not stated precisely what kind of flaw it is, but based on its description it sounds like a privilege escalation vulnerability.
The fact that Oracle included this fourth vulnerability implies that they are seeing it used in conjunction with other vulnerabilities in the wild. You are strongly encouraged to apply the fix right away.
The bigger question is, “Do you really need Java?” If you can get by without it, you should. That is true for any application that interfaces with the internet. Fewer programs means fewer vulnerabilities.
Unfortunately, many organizations do require Java, but sometimes there are alternatives. All you need to do is ask.
I tweeted complaining about Java requirements to @GoToMeeting yesterday and they responded with, “We’re in the process of replacing Java currently. On Windows you can always select the manual DL after disabling Java.” Excellent.
That is all of the info I have for now as Oracle’s web servers are currently returning an Apache error when I try to pull up the support document. I will update this article as appropriate with any further patch details when they are available.
Don’t wait for your auto update program to trigger, download Java 7 Update 7 or Java 6 update 35 now.
I was personally affected by this yesterday, i can only persume it is this exploit as i have never been infected before. My computer suddenly restarted itself and when tuned back on was displayed ransomware !!!
Quick boot into safemode and update my sophos and it is now gone, i believe that this exploit has easily reached out into the millions.
Glad they patched it today rather than waiting till october which was orginally said
Great article
cheers Lewis
Java 6 vs Java 7? I thought Oracle wanted to kill off Java 6 since it's older.
I uninstalled Java i don't need it most web-pages i go to don't require it any more.
Aside from the fact that JAVA is a security mess, the other thing that has always frosted me is that their updates are impossible for the average computer user to decipher. They list four different updates just for Windows with no clear explanation of which one is appropriate for you.
And I can't count the number of times I've had an update blow out on me, requiring a hour's worth of time trying to get everything unbuggered.
The program hides out on your PC; it doesn't show up under installed programs, so you have to go on a safari just to try and see whether you have the most recent version.
JAVA is without doubt, the meanest, ugliest, most user-unfriendly piece of crapware that I've ever had the misfortune to struggle with.
I uninstalled it a few days ago & so far I've had zero problems with browsing or any programs I use.
We use four versions of Java to get our home built web apps working, none newer that 6 update 18. This is how our company works, functions, makes money.
Welcome to the real world, Chester.
too bad you guys are not on Firefox– they shut down any risky plugins to protect you
Thank you for the advice, however you ask "Can you get by without Java?". I don't know! What does it do?
When you click on the link to download Java 7 update this is the message appearing on the screen:
"Java SE 7u7 is no longer the most current release of Java SE
Please visit our Java SE download page to get the latest version of the JDK.
If you are specifically looking for an older version of the JDK please visit our Java Archive Page"
JDK? Java SE 7u7? At risk of sounding crude, WTF?
If you have uninstalled all other Java programs, is it safe to keep Java 7, Update 11 that was just sent, or do you still recommend removing all Java programs?