Sophos Cloud Optix
In the past 24 hours, a new zero-day vulnerability for Java has been found, reported to be infecting even those running the latest version (7u10).
Unfortunately, it has been found in some of the most prevalent crimeware kits being used to infect users with malware, so it is being targeted NOW.
As noted elsewhere, it has already been confirmed to be integrated into Cool EK and NuclearPack exploit kits.
The malicious JAR archives exploiting this vulnerability we’ve seen so far are detected by Sophos products as Mal/JavaJar-B.
As ever though, we would strongly recommend that users consider whether or not they require Java to be installed. If yes, ask whether it needs to be enabled within their web browser.
Remember, Java 7 update 10 introduced some very useful security controls for those that do require Java to be installed.
A single check-box can be used to disable the web plugin entirely, protecting you not just against this latest zero-day, but also against the ones we are likely to see during 2013.
There are other options within the new security controls, so if you require Java to be installed, take a look through the options now available to lock down your systems.
My advice? Don’t delay. Don’t put this on your security ‘to do’ list. Just secure your Java installation immediately.
Further reading:
Naked Security’s Chet Wisniewski has put together simple instructions for users of the most popular browsers, explaining how Java can be disabled:
- How to disable Java in Internet Explorer
- How to disable Java in Firefox
- How to disable Java in Chrome
- How to disable Java in Safari
- How to disable Java in Opera
man rushing cartoon image courtesy of Shutterstock.
So, I don't suppose that there's an "administrative" way to make such changes, for those of us with managed services platforms and hundreds/thousands of remote clients?
If you read Oracle's notes on J7U10 they describe how you can change this setting with a command-line script. I imagine this could be deployed as a login script or through SCCM or SCOM.
I guess I am blind. I can not find a link to fix this.
Neither could I.
There is no fix aside from disabling or removing Java at this time. When Oracle makes an official fix available we will post the details.
ty very much i have java installed in my mac i just had the geek squad here and everything is fine with my mac. my husband said a mac does not need this all threats r detected and reported is this true i don't have to do anything on a mac?
I will b waiting for a reply in my e-mail i probably wont find this page again, i always get lost in cyberspace..lol
ok and ty very much! I really appreciate it and my husband travels a lot and i am not very computer savvy. i need step by step instructions,ya i am a dumb blonde
I did subscribe to this newsletter
Mary…Mac's are just as prone to threats as pc's are. (not trying to be negative – I just hear this far too often…) Here's some reading for you: http://gizmodo.com/5946551/java-vulnerability-cou…
and, just for fun… http://www.forbes.com/pictures/mhl45lffj/hacking-…
Good luck…
Unfortunately my online college uses Java for one of it’s online textbook/exam channels. There’s no way to use it without Java. :/
This is one of the reason I’ve chosen proctored tests at a local library. I don’t want to crash in the middle of a final exam!
We hear this all too often. A good alternative is to use one browser for your everyday surfing and only enable Java in the second browser for your college use.
Thank you for this post and the heads up that you provide. I want to take precautions but I couldn't figure out how to do it via this post. I clicked on "options" but couldn't make sense out of what's on that page. How can I, Average Josephine, take the security measures that you are suggesting in your post? I already have the Sophos software installed. Need I do more?
@Calvin, here you go: http://nakedsecurity.sophos.com/2012/08/30/how-tu…
@Calvin, sorry, I meant @Mary. Must have some Java dyslexiware trojan in my keyboard . . .
“As ever though, we would strongly recommend that users consider whether or not they require Java to be installed.”
Wish I could. Too bad my bank and government use Java for logging in to all their services. It’s horrible. :/
Besides disabling things you don’t need you could always try surfing a little less randomly, take your everyday user out of the administrator group. Security sells on the unknown, precaution is good but if we lived our lives like they want us to on the Internet in real life, we would never cross the street.
Is there anything available to replace Java?
Microsoft's .NET platform (C#, ASP.NET, etc)
If you don't need Java you are better off uninstalling it via Control Panel – Programs (Or Add/Remove Programs).
Very few web sites need it (and chances are you'll know if you use one that does), although some programs like the Minecraft game do need it. Even if you use a web site that needs Java, the method of "disabling" the plugin is quite simple and easy. Maybe you could only enable it when you need it?
Unfortunately there's no replacement for Oracle's Java!
I found that I dont need Java. My game works just as well, without it. Thank you!!
Are linux based OS’s like Ubuntu vulnerable to this zero-day as well?
If you cannot find the "Security" tab in Control Panel – Programs – Java to disable the browser plugin, you need to update your Java to version 7 10. Go to the "General" tab, click the "About" button.
If you have "Version 7":
Close the "About Java Window". Click on the "Update" tab and then the "Update Now" button. Follow on-screen instructions and, once completed, the "Security" tab should appear with an easy and quick method to disable the Java plugin. No "Update" tab? You're probably using the 64-bit version of Java. You will have to visit java.com and follow the download/install links to update manually.
If you have "Version 6":
You need to update Java to version 7 via their web site at java.com and follow the download/install links to update manually.
I am trying to uninstall it from both IE and Chrome and each time I try I get a pop up that asks if I want to allow the Oracle to make changes to my computer. Why am I not able to uninstall?
Does Java Script need to be uninstalled also?
Java and JavaScript have nothing in common except the letters "Java" in their names. It's a historical thing that has caused plentiful confusion over the years…
Is this also a threat on mobile platforms like Android? The browsers (Chrome, Puffin, Firefox) on my Nexus 10 also use Java.
Shouldn't be. While Android applications are Java themselves, Java is not enabled in the browsers on mobile platforms. The bug is in the Java web plugin, so mobiles are safe.
I am running windows 7 home premium 64 bit. I recently installed Java 7-32 bit. I also have a couple of plugins to enable printing of "web coupons". I had been aware there were concerns about java so I was only enabling those printer plugins on an "as needed" basis.
I have now gone into the Java 7 console and disabled Java and had previously disabled in bothe IE9 and Chrome. But my question is – when will it again be safe to print coupons, if ever?
Hard to say Deja,
We expect Oracle will release a fixed version of Java soon, but it will always be a risk. The best approach is to configure one browser to use Java and your normal surfing browser not to. This way you can get your coupons on the browser you need Java to work and your regular browser you surf with to be safe.
Thank you Chester, now why didn't I think of that? 🙂
As the Admin I think it is now time for me to set up different user identities for surfing, definitely one for coupons only.
Wow, being internet paranoid takes a lot of work!
I tried to uninstall two Java apps from IE. When clicking "uninstall" for 6 Update 27 (64 bit) I got the popup asking if I would allow a program to make changes. Problem was the program was from an "Unknown source", so I said NO, and it would not uninstall.
I then tried to uninstall 6 Update 30 and when I got the same popup window the source of the program was SunMicrosystems. So I said "YES" and the uninstall proceeded normally.
What gives with the "unknown source" when trying to uninstall 6 Update 27?
Oracle has recently released JRE Version 7 Update 11 which can be downloaded from:
http://java.com/en/download/manual.jsp
More details can be found at “Oracle Security Alert for CVE-2013-0422”:
http://www.oracle.com/technetwork/topics/security…
See also:
http://nakedsecurity.sophos.com/2013/01/13/oracle…
We wrote this up with some additional advice to persuade you:
* to update even if you turned Java off
* to keep Java off even after you update
* to check whether you really turned Java off or not
Sorry for this dumb question but if you update to Java 7 U11 to fix this vulnerability but still need to run older versions of Java for client app compatibility, are you still at risk?
Are you only truly safe if you can get rid of older versions of Java completely?
Does this include Java 7 Update 9?
So to be clear we are talking about not using Java Applets here right? I don’t think Java is the issue, it’s the Applet technology that is. Let’s be clear.