Java is under attack again. A zero-day vulnerability in Java is being actively exploited in the wild. The current attacks seem to be targeted, but security experts warn that more widespread attacks could be imminent.
Next to Adobe Reader and Adobe Flash, Java is probably one of the most ubiquitous and widely used applications. Unfortunately, it also provides attackers with plenty of holes and vulnerabilities to exploit, which makes it a popular target.
Proof-of-concept (PoC) code has been developed for the Metasploit Framework tool. Wolfgang Kandek, CTO of Qualys, explains that this is concerning because it makes the exploit available to a much wider audience, and probably means more attacks targeting the Java vulnerability are on the horizon.
Andrew Storms, director of security operations for nCircle, is concerned that it could be a while before a patch or update is released to resolve the vulnerability and guard against these attacks. “Oracle isn’t known for releasing patches out of cycle and the next scheduled update for Java isn’t until October. Part of the problem is that Java is so ubiquitous that it tends to be overlooked as a ‘small’ piece of software.”
Kandek warns that until a patch is released, the only real defense users can employ is to limit the use of Java or uninstall it altogether. Uninstalling it may be a tad extreme, though. There are options within the Java security controls to restrict its use to well-known websites that are less likely to harbor malicious exploits.
Right now, it seems that only the newer version of Java—v7—is vulnerable to the zero-day. Java 1.6 might be safe, although it’s not entirely clear at this time. The current attacks are aimed at Java 7 on Windows, but the Metasploit Framework PoC exploit also works on Mac OS X so Apple users should be on guard as well.
If you’re not sure whether your Java is enabled or disabled in Mac OS X, there’s a way to find out. Kandek says, “Mac users can check on the state of Java by using the Java Preferences program, which allows the user to disable the connection between Java and the browser by unchecking the “On” field.”
Storms takes issue with Oracle’s lack of disclosure and transparency when it comes to threats like this. “Oracle really should take a page out of Microsoft’s security response book and start communicating with users about security issues.”
Storms sums up, “Until then, the only recourse for users is to disable Java in all Web browsers to protect against drive-by attacks.”