Protect against latest Java zero-day vulnerability right now: Mal/JavaJar-B


rushing man cartoonIn the past 24 hours, a new zero-day vulnerability for Java has been found, reported to be infecting even those running the latest version (7u10).

Unfortunately, it has been found in some of the most prevalent crimeware kits being used to infect users with malware, so it is being targeted NOW.

As noted elsewhere, it has already been confirmed to be integrated into Cool EK and NuclearPack exploit kits.

The malicious JAR archives exploiting this vulnerability we’ve seen so far are detected by Sophos products as Mal/JavaJar-B.

As ever though, we would strongly recommend that users consider whether or not they require Java to be installed. If yes, ask whether it needs to be enabled within their web browser.

Java control panel

Remember, Java 7 update 10 introduced some very useful security controls for those that do require Java to be installed.

A single check-box can be used to disable the web plugin entirely, protecting you not just against this latest zero-day, but also against the ones we are likely to see during 2013.

There are other options within the new security controls, so if you require Java to be installed, take a look through the options now available to lock down your systems.

My advice? Don’t delay. Don’t put this on your security ‘to do’ list. Just secure your Java installation immediately.

Further reading:
Naked Security’s Chet Wisniewski has put together simple instructions for users of the most popular browsers, explaining how Java can be disabled:

man rushing cartoon image courtesy of Shutterstock.