Java 0Day: Turn off Java applets now
All versions of Java 7, including the current Java 7 update 6, are vulnerable to the hole that is already being exploited in the wild. With the publication of a vulnerability notice by the US-CERT and warnings from the German BSI (Federal Office for Information Security), the best advice for all users is to disable Java applets in their browsers on all operating systems.
The vulnerability can be exploited when a user visits a specially crafted web site and can be used to infect a system with malware. The code to exploit the problem is already available on the internet, making its use for infecting systems very likely. There is no patch available for the flaw so it is essential that users disable the Java plugins used by their browsers. Instructions for the various browsers can be found below:
- How to turn off Java Applets in Firefox
- Plugins in Chrome - refer to the Disable Specific Plugins section
- Disable Java in Safari
Opera's plugin controls can be found by entering
opera:plugins in the address bar. For Internet Explorer (IE), the process is apparently anything but simple; users should select the "Manage Add-ons" menu item and disable the Oracle Java plugins from there, but in testing it has been found that the exploit still worked after this. US-CERT also notes that this method "may not work on Vista or newer systems" and offers other options for IE users in their advisory's solution section. It may be simpler, of course, to just uninstall Java.
Where users must use Java to access particular sites, then one option would be to use Firefox and the NoScript add-on. NoScript can whitelist web sites which require access to the Java plugin. To test if Java is installed, users can use this browser check page. If Java is enabled, it will be displayed in a red banner with version number. If not, then the panels should be blank or asking to start/install Java to run the Java applets.
Some may consider downgrading to Java 6 to avoid the problem but this is unwise for a number of reasons. Firstly, although the vulnerability has been exposed on Java 7, there is always a possibility that a malicious developer will work out how to make use of it on Java 6. Secondly, Java 6 already has numerous security holes which have been closed in Java 7, so switching to it would merely expose users to a range of better known vulnerabilities. Oracle has, so far, neither warned customers about the vulnerability nor responded to heise Security, The H's associates in Germany, requests for comment. The next scheduled update for Java is due in October.
For more information and details about the vulnerability itself, The new Java 0day examined on The H Security.