BWW Geeks World

Homeland Security Issues Java Warning; Recommends Disabling Completely

Related: Security, Java

The CERT Program has released Vulnerability Note VU#625617 to address a vulnerability in Oracle Java Runtime Environment (JRE) 7 and earlier that is currently being exploited in the wild. This vulnerability may allow an attacker to execute arbitrary code on vulnerable systems.

US-CERT encourages users and administrators to review the Vulnerability Note VU#625617. This advisory includes possible workarounds that help mitigate the risk against known attack vectors by disabling Java in web browsers.

The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems.

The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document states, "If there is a security manager already installed, this method first calls the security manager's checkPermission method with aRuntimePermission("setSecurityManager") permission to ensure it's safe to replace the existing security manager. This may result in throwing a SecurityException".

By leveraging unspecified vulnerabilities involving Java Management Extensions (JMX) MBean components andsun.org.mozilla.javascript.internal objects, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier are affected.

This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available.

Impact

By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds:

Disable Java in web browsers

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.
Note: Due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executingjavacpl.exe manually. This file is likely to be found in C:Program FilesJavajre7in or C:Program Files (x86)Javajre7in.
Also note that we have encountered situations where Java will crash if it has been disabled in the web browser as described above and then subsequently re-enabled. Reinstalling Java appears to correct this situation.


GEEKS VIDEOS

STAGE TUBE: First Look at Second Episode of Telltale's GAME OF THRONESSTAGE TUBE: First Look at Second Episode of Telltale's GAME OF THRONES VIDEO: Watch President Obama's 2015 State of the Union Speech - LIVE!VIDEO: Watch President Obama's 2015 State of the Union Speech - LIVE! Video: YouTube Stars to Interview President Obama - And You Can Too!Video: YouTube Stars to Interview President Obama - And You Can Too! VIDEO: ELLEN Responds to Accusations of Having 'Gay Agenda'VIDEO: ELLEN Responds to Accusations of Having 'Gay Agenda' VIDEO: Google Jumping More into Education with Google ClassroomVIDEO: Google Jumping More into Education with Google Classroom VIDEO: Nintendo Shows Off New Nintendo 3DS XLVIDEO: Nintendo Shows Off New Nintendo 3DS XL VIDEO: Space Ship? No. D-Link Unveils ULTRA Performance Series of 11AC RoutersVIDEO: Space Ship? No. D-Link Unveils ULTRA Performance Series of 11AC Routers Video: D-Link Launches Industry's First Gigabit PowerLine Kits with MIMOVideo: D-Link Launches Industry's First Gigabit PowerLine Kits with MIMO VIDEO: LaCie Unveils Mirror Portable Hard Drive; Encased in Glass & Designed for LooksVIDEO: LaCie Unveils Mirror Portable Hard Drive; Encased in Glass & Designed for Looks VIDEO: Sneak Peek at the Angry Birds Christmas Special SANTAMENTAL MEVIDEO: Sneak Peek at the Angry Birds Christmas Special SANTAMENTAL ME STAGE TUBE: Samsung Canada Celebrates Launch of the NX1 with Short Film Starring Joseph Gordon LevittSTAGE TUBE: Samsung Canada Celebrates Launch of the NX1 with Short Film Starring Joseph Gordon Levitt VIDEO: Aidy Bryant Reaches 10,000 Tweets from Cut Sketch from Last Week's SNL; Watch Below!VIDEO: Aidy Bryant Reaches 10,000 Tweets from Cut Sketch from Last Week's SNL; Watch Below! Fully Restored Video: Craigslist 1996 Nissan Maxima CompletedFully Restored Video: Craigslist 1996 Nissan Maxima Completed VIDEO: CONAN Meets Digitzed Kevin Spacey in 'Call Of Duty: Advanced Warfare'VIDEO: CONAN Meets Digitzed Kevin Spacey in 'Call Of Duty: Advanced Warfare' VIDEO: It's Here! Starwood's Keyless Entry Launches Today!VIDEO: It's Here! Starwood's Keyless Entry Launches Today! New Video: Immigration Enforcement Needed to Counter Criminal and Terrorist ThreatsNew Video: Immigration Enforcement Needed to Counter Criminal and Terrorist Threats

Subscribe for News & Specials