BT
x Your opinion matters! Please fill in the InfoQ Survey about your reading habits!

Oracle Releases Security Fix for Java 7

by Alex Blewitt on Jan 14, 2013 |

Today Oracle released Java SE 7u11 to fix security vulnerability CVE-2013-0422, which has been widely used in the past few days to remotely install and execute code on computers whose browser is set to allow Java to run. These take advantage of applets, often unnecessarily configured to run Java in the browser, and can escape their security sandbox through features in the Java 7 runtime and reflection to escape the applet sandbox.

Although the first security-related fix for this year, this isn't the first time that Java 7 has been the focus for the security exploits. Back in October 2012, with CVE-2012-5083 and CVE-2012-1531, both of which allowed for untrusted code to be run through an escape in the 2D framework. The issues reported here were also used the reflection API.

The existence of the zero-day exploit, however, was being used widely in penetration testing tools like Metasploit and Blackhole. This led the US Homeland Security to issue a warning to users to disable Java in the browser, even if you have updated to Java7u11, to avoid any future security issues. As a result, Oracle was quick to act, even though they have previously said they would only release security updates quarterly.

In an ironic twist of fate, Apple was one of the first to remotely disable Java in the browser, by issuing an update to the OSX anti-malware description file in /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist. This adds a minimum version to allow Java applets to run in the browser:

<dict>
        <key>LastModification</key>
        <string>Thu, 10 Jan 2013 22:48:02 GMT</string>
        <key>PlugInBlacklist</key>
        <dict><key>10</key><dict>
                <key>com.oracle.java.JavaAppletPlugin</key>
                <dict><key>MinimumPlugInBundleVersion</key>
                <string>1.7.10.19</string></dict>
                </dict>
        </dict>
</dict>

To protect against future vulnerabilities, the Java update also sets the use of unsigned Java applets to only run in the 'high' security context. This pops up a warning dialog when an unsigned applet is found, if the Java applet plugin is enabled.

To find out if your browser is configured to run Java, go to the JavaTester website. To disable Java applets from running in a browser, follow the How to disable Java in the browser documentation from Oracle's website. Java applications running outside a browser are unaffected by this security vector, since Java applications already run without a security manager.

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT