Oracle on Saturday confirmed the 0-day vulnerability discovered in Java 7 that made headlines this week. Furthermore, the company told Reuters that “a fix will be available shortly,” but wouldn’t go into more detail as to when exactly that would be.
On Thursday, the US Computer Emergency Readiness Team (US-CERT), which falls under the National Cyber Security Division of the Department of Homeland Security, issued the following vulnerability note:
Overview – Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description – Java 7 Update 10 and earlier contain an unspecified remote-code-execution vulnerability. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits.
Impact – By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.
The critical security hole, which allows attackers to execute malicious software on a victim’s machine, was quickly exploited in the wild and made available in common exploit kits. Later the same day, Apple stepped in to block Java 7 on OS X 10.6 and up to protect Mac users.
On Friday, we learned the 0-day code would not have worked if Oracle had properly addressed an old vulnerability, according to Security Explorations, the security firm responsible for identifying most of the latest Java vulnerabilities. Back in late August 2012, the company informed Oracle about the insecure implementation of the Reflection API, and Oracle released a patch for it in October 2012, but the fix wasn’t a complete one.
Also on Friday, Mozilla added all recent versions of Java to its Firefox add-on blocklist. These include Java 7 Update 9, Java 7 Update 10, Java 6 Update 37, and Java 6 Update 38; older Java versions were already blocklisted due to other vulnerabilities.
Once Oracle releases Java 7 Update 11, Mac users and Firefox users will once again be able to use the plugin. Unfortunately, since the company still hasn’t provided a date for when that will be, we recommend that regardless of what browser and operating system you’re using, you should uninstall Java if you don’t need it and disable it otherwise. If you absolutely must use it, do so in a secondary browser.
Image credit: Florin Garoi