Protect against latest Java zero-day vulnerability right now: Mal/JavaJar-B

Filed Under: Featured, Java, Security threats, SophosLabs, Vulnerability, Web Browsers

rushing man cartoonIn the past 24 hours, a new zero-day vulnerability for Java has been found, reported to be infecting even those running the latest version (7u10).

Unfortunately, it has been found in some of the most prevalent crimeware kits being used to infect users with malware, so it is being targeted NOW.

As noted elsewhere, it has already been confirmed to be integrated into Cool EK and NuclearPack exploit kits.

The malicious JAR archives exploiting this vulnerability we've seen so far are detected by Sophos products as Mal/JavaJar-B.

As ever though, we would strongly recommend that users consider whether or not they require Java to be installed. If yes, ask whether it needs to be enabled within their web browser.

Java control panel

Remember, Java 7 update 10 introduced some very useful security controls for those that do require Java to be installed.

A single check-box can be used to disable the web plugin entirely, protecting you not just against this latest zero-day, but also against the ones we are likely to see during 2013.

There are other options within the new security controls, so if you require Java to be installed, take a look through the options now available to lock down your systems.

My advice? Don't delay. Don't put this on your security 'to do' list. Just secure your Java installation immediately.

Further reading:
Naked Security's Chet Wisniewski has put together simple instructions for users of the most popular browsers, explaining how Java can be disabled:

man rushing cartoon image courtesy of Shutterstock.

, , , ,

You might like

35 Responses to Protect against latest Java zero-day vulnerability right now: Mal/JavaJar-B

  1. So, I don't suppose that there's an "administrative" way to make such changes, for those of us with managed services platforms and hundreds/thousands of remote clients?

    • Chester Wisniewski · 996 days ago

      If you read Oracle's notes on J7U10 they describe how you can change this setting with a command-line script. I imagine this could be deployed as a login script or through SCCM or SCOM.

  2. Mary · 996 days ago

    I guess I am blind. I can not find a link to fix this.

    • Virginia · 996 days ago

      Neither could I.

    • Chester Wisniewski · 996 days ago

      There is no fix aside from disabling or removing Java at this time. When Oracle makes an official fix available we will post the details.

      • mary osterman · 996 days ago

        ty very much i have java installed in my mac i just had the geek squad here and everything is fine with my mac. my husband said a mac does not need this all threats r detected and reported is this true i don't have to do anything on a mac?
        I will b waiting for a reply in my e-mail i probably wont find this page again, i always get lost in

  3. Calvin Hobbes · 996 days ago

    Unfortunately my online college uses Java for one of it's online textbook/exam channels. There's no way to use it without Java. :/

    This is one of the reason I've chosen proctored tests at a local library. I don't want to crash in the middle of a final exam!

    • Chester Wisniewski · 996 days ago

      We hear this all too often. A good alternative is to use one browser for your everyday surfing and only enable Java in the second browser for your college use.

  4. Felixa · 996 days ago

    Thank you for this post and the heads up that you provide. I want to take precautions but I couldn't figure out how to do it via this post. I clicked on "options" but couldn't make sense out of what's on that page. How can I, Average Josephine, take the security measures that you are suggesting in your post? I already have the Sophos software installed. Need I do more?

  5. Ron · 996 days ago

    @Calvin, sorry, I meant @Mary. Must have some Java dyslexiware trojan in my keyboard . . .

  6. "As ever though, we would strongly recommend that users consider whether or not they require Java to be installed."

    Wish I could. Too bad my bank and government use Java for logging in to all their services. It's horrible. :/

  7. Andy · 995 days ago

    Besides disabling things you don't need you could always try surfing a little less randomly, take your everyday user out of the administrator group. Security sells on the unknown, precaution is good but if we lived our lives like they want us to on the Internet in real life, we would never cross the street.

  8. Nancy · 995 days ago

    Is there anything available to replace Java?

    • alfred e. neuman · 995 days ago

      Microsoft's .NET platform (C#, ASP.NET, etc)

    • Adam Piggott · 995 days ago

      If you don't need Java you are better off uninstalling it via Control Panel - Programs (Or Add/Remove Programs).

      Very few web sites need it (and chances are you'll know if you use one that does), although some programs like the Minecraft game do need it. Even if you use a web site that needs Java, the method of "disabling" the plugin is quite simple and easy. Maybe you could only enable it when you need it?

      Unfortunately there's no replacement for Oracle's Java!

      • Nancy · 994 days ago

        I found that I dont need Java. My game works just as well, without it. Thank you!!

  9. Ali · 995 days ago

    Are linux based OS's like Ubuntu vulnerable to this zero-day as well?

  10. Adam Piggott · 995 days ago

    If you cannot find the "Security" tab in Control Panel - Programs - Java to disable the browser plugin, you need to update your Java to version 7 10. Go to the "General" tab, click the "About" button.

    If you have "Version 7":
    Close the "About Java Window". Click on the "Update" tab and then the "Update Now" button. Follow on-screen instructions and, once completed, the "Security" tab should appear with an easy and quick method to disable the Java plugin. No "Update" tab? You're probably using the 64-bit version of Java. You will have to visit and follow the download/install links to update manually.

    If you have "Version 6":
    You need to update Java to version 7 via their web site at and follow the download/install links to update manually.

  11. Sheila B · 995 days ago

    I am trying to uninstall it from both IE and Chrome and each time I try I get a pop up that asks if I want to allow the Oracle to make changes to my computer. Why am I not able to uninstall?

  12. BKA · 994 days ago

    Does Java Script need to be uninstalled also?

    • Paul Ducklin · 994 days ago

      Java and JavaScript have nothing in common except the letters "Java" in their names. It's a historical thing that has caused plentiful confusion over the years...

  13. Gail Heylmun · 994 days ago

    Is this also a threat on mobile platforms like Android? The browsers (Chrome, Puffin, Firefox) on my Nexus 10 also use Java.

    • Chester Wisniewski · 994 days ago

      Shouldn't be. While Android applications are Java themselves, Java is not enabled in the browsers on mobile platforms. The bug is in the Java web plugin, so mobiles are safe.

  14. Deja · 994 days ago

    I am running windows 7 home premium 64 bit. I recently installed Java 7-32 bit. I also have a couple of plugins to enable printing of "web coupons". I had been aware there were concerns about java so I was only enabling those printer plugins on an "as needed" basis.

    I have now gone into the Java 7 console and disabled Java and had previously disabled in bothe IE9 and Chrome. But my question is - when will it again be safe to print coupons, if ever?

    • Chester Wisniewski · 994 days ago

      Hard to say Deja,

      We expect Oracle will release a fixed version of Java soon, but it will always be a risk. The best approach is to configure one browser to use Java and your normal surfing browser not to. This way you can get your coupons on the browser you need Java to work and your regular browser you surf with to be safe.

      • Deja · 993 days ago

        Thank you Chester, now why didn't I think of that? :)

        As the Admin I think it is now time for me to set up different user identities for surfing, definitely one for coupons only.

        Wow, being internet paranoid takes a lot of work!

  15. Scott · 993 days ago

    I tried to uninstall two Java apps from IE. When clicking "uninstall" for 6 Update 27 (64 bit) I got the popup asking if I would allow a program to make changes. Problem was the program was from an "Unknown source", so I said NO, and it would not uninstall.

    I then tried to uninstall 6 Update 30 and when I got the same popup window the source of the program was SunMicrosystems. So I said "YES" and the uninstall proceeded normally.

    What gives with the "unknown source" when trying to uninstall 6 Update 27?

  16. Tim F · 993 days ago

    Oracle has recently released JRE Version 7 Update 11 which can be downloaded from:

    More details can be found at "Oracle Security Alert for CVE-2013-0422":

  17. Jason S · 993 days ago

    Sorry for this dumb question but if you update to Java 7 U11 to fix this vulnerability but still need to run older versions of Java for client app compatibility, are you still at risk?

    Are you only truly safe if you can get rid of older versions of Java completely?

  18. Dick · 992 days ago

    Does this include Java 7 Update 9?

  19. Mike · 991 days ago

    So to be clear we are talking about not using Java Applets here right? I don't think Java is the issue, it's the Applet technology that is. Let's be clear.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.