Oracle Releases Security Fix for Java 7
Today Oracle released Java SE 7u11 to fix security vulnerability CVE-2013-0422, which has been widely used in the past few days to remotely install and execute code on computers whose browser is set to allow Java to run. These take advantage of applets, often unnecessarily configured to run Java in the browser, and can escape their security sandbox through features in the Java 7 runtime and reflection to escape the applet sandbox.
Although the first security-related fix for this year, this isn't the first time that Java 7 has been the focus for the security exploits. Back in October 2012, with CVE-2012-5083 and CVE-2012-1531, both of which allowed for untrusted code to be run through an escape in the 2D framework. The issues reported here were also used the reflection API.
The existence of the zero-day exploit, however, was being used widely in penetration testing tools like Metasploit and Blackhole. This led the US Homeland Security to issue a warning to users to disable Java in the browser, even if you have updated to Java7u11, to avoid any future security issues. As a result, Oracle was quick to act, even though they have previously said they would only release security updates quarterly.
In an ironic twist of fate, Apple was one of the first to remotely disable Java in the browser, by issuing an update to the OSX anti-malware description file in
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist. This adds a minimum version to allow Java applets to run in the browser:
<dict> <key>LastModification</key> <string>Thu, 10 Jan 2013 22:48:02 GMT</string> <key>PlugInBlacklist</key> <dict><key>10</key><dict> <key>com.oracle.java.JavaAppletPlugin</key> <dict><key>MinimumPlugInBundleVersion</key> <string>220.127.116.11</string></dict> </dict> </dict> </dict>
To protect against future vulnerabilities, the Java update also sets the use of unsigned Java applets to only run in the 'high' security context. This pops up a warning dialog when an unsigned applet is found, if the Java applet plugin is enabled.
To find out if your browser is configured to run Java, go to the JavaTester website. To disable Java applets from running in a browser, follow the How to disable Java in the browser documentation from Oracle's website. Java applications running outside a browser are unaffected by this security vector, since Java applications already run without a security manager.