[muglo] Java issue

  • From: Frank Birch <fbirch@xxxxxxxxxx>
  • To: muglo@xxxxxxxxxxxxx
  • Date: Tue, 28 Aug 2012 14:53:17 -0400

Just two weeks after Oracle officially took over responsibility for Java on OS 
X with the launch of Java SE 7 Update 6, a new Java vulnerability has been 
discovered to pose a significant threat to systems running the software. Krebs 
on Security highlighted the issue yesterday, noting that it affects all 
versions of Java 7 on most browsers.
News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat 
sparse blog post by FireEye, which said the exploitseemed to work against the 
latest version of Java 7, which is version 1.7, Update 6. This morning, 
researchers Andre’ M. DiMino & Mila Parkour published additional details on the 
targeted attacks seen so far, confirming that the zero-day affects Java 7 
Update 0 through 6, but does not appear to impact Java 6 and below. 

Initial reports indicated that the exploit code worked against all versions of 
Internet Explorer, Firefox and Opera, but did not work against Google Chrome. 
But according to Rapid 7, there is a Metasploit module in development that 
successfully deploys this exploit against Chrome (on at least Windows XP).
The report notes that Oracle is moving to a quarterly update cycle for Java, 
meaning that the next regularly-scheduled update to Java SE 7 is not planned 
until October, but it is unclear how quickly the company will move to address 
the issue. In the interim, some security experts are developing an unofficial 
patch while users are advised to simply disable Java if they do not need it 
active on their systems. 

Computerworld reports that the issue does indeed affect fully-updated Macs 
running Java 7 on top of OS X Mountain Lion.
David Maynor, CTO of Errata Security, confirmed that the Metasploit exploit -- 
which was published less than 24 hours after the bug was found -- is effective 
against Java 7 installed on OS X Mountain Lion. 

"This exploit works on OS X if you are running the 1.7 JRE [Java Runtime 
Environment]," said Maynor in an update to an earlier blog post. 

JRE 1.7 includes the most-current version of Java 7, dubbed "Update 6," that 
was released earlier this month.
Both Safari 6 and Firefox 14have been found to be vulnerable to the issue on OS 
X systems. 

Apple has of course had its own issues with Java vulnerabilities, most recently 
with the Flashback malware that was able to infect over 600,000 Macs by taking 
advantage of an exploit in Java 6 that had already been patched by Oracle for 
most platforms but not by Apple for OS X. It is due to smaller, previous 
incidents similar to Flashback that Apple had already been moving to shift 
responsibility for Java updates to Oracle, a move that is taking place with 
Java 7. But while Mac users will now receive Java updates simultaneously with 
users on other platforms, Java remains one of the highest-profile targets for 
attackers seeking to compromise systems on a broad basis. 

Update: CNET noted earlier today that most Mac users are not currently 
susceptible to the issue, as Java 7 is not installed by default on Macs. The 
current version of Java installed on Mac remains Java 6 for the time being, so 
users would have to have manually updated to Java 7 in order for their systems 
to be vulnerable.

Other related posts:

  • » [muglo] Java issue - Frank Birch