Last month, I wrote about how Microsoft told its users to update Java or kill it. This week, a new 0-day vulnerability in Sun’s software is pushing security companies to do the same, with one exception: there’s no update available yet, so the suggestion is you should just kill Java.
The brouhaha began this past weekend when FireEye spotted a new Java zero-day vulnerability in the wild, as part of limited targeted attacks. Since Oracle has yet to issue a patch, security companies can’t just tell everyone to update.
Several researchers have found the vulnerability is being used in drive-by download style attacks that eventually result in the installation of the Poison Ivy remote-access tool (RAT). The attacks are currently coming from a domain in China, but there’s nothing stopping them from spreading further. Working exploit code is available online, and Metasploit even has a module available for the flaw.
The security hole affects all versions of Oracle’s Java 7 (version 1.7) on all supported platforms. That means all the main browsers are vulnerable if they have the Java plugin installed, including Internet Explorer, Google Chrome, Mozilla Firefox, Opera, and Safari.
DeepEnd is currently offering an unofficial patch for the vulnerability, but you have to request it and explain why your organization needs it. Furthermore, even the security firm behind the patch would rather you not use it:
This is not an official patch and had limited testing. In general, it is best to disable Java in your browser
Kaspersky also recommends you kick Java to the curb:
DeepEnd has access to a third-party patch, produced by Schierl, that organizations can request on an individual basis. Barring that, the best advice right now is to disable Java altogether if there isn’t a pressing need to have it running.
Sophos agrees you should ditch Java:
F-Secure has also jumped on the bandwagon:
Uninstall Java (JRE) if you don’t need (or use) it. If you do need (and want) it, then at least disable the browser plugin(s) when its not in use. You could also consider installing an extra browser exclusively for Java based sites.
For what it’s worth, Symantec, which noted attackers have been using this zero-day vulnerability since at least August 22, did not make the same push in regards to getting rid of Java. Too bad I already took Microsoft’s suggestion to heart, and haven’t looked back since.
Malware writers love exploiting Java because it’s a cross-platform plugin. Such an attack vector allows them to target more than one operating system, more than one browser, and thus more than one type of user.
Image credit: stock.xchng