New Java vulnerability likely to remain unpatched until October 2012

UPDATE: Oracle releases a fix ahead of schedule.

A recently-discovered security flaw in Java is going to make web browsing more dangerous than usual over the coming weeks.

The new vulnerability has already been exploited to develop a working attack that can affect Windows, Linux and MacOS computers to varying degrees. The exploit code is available as part of the controversial Metasploit and Blackhole hacking toolkits. That means we can expect real, web-based attacks to start appearing almost immediately.

Anyone wanting to compromise vulnerable systems need only place the attack code on a web site and wait for those systems to visit the site. In this case, vulnerable systems include just about any Windows or Linux system running a web browser with Java enabled.

Java is typically installed both as a stand-alone runtime environment and as a plugin for web browsers. Both environments are vulnerable to this attack. Java is widely used for a variety of applications, including open source tools like Freemind and Eclipse. Some web sites use Java to provide functionality beyond what’s normally possible with web browsers.

Unfortunately, unless Java’s developer decides to issue an out-of-cycle patch for this vulnerability, it won’t be fixed until the next update cycle, which is scheduled for October 2012.

Recommendations

Standalone, locally-hosted Java applications you’re already using should be safe. Until the vulnerability is patched, we don’t recommend new installations of any Java-based software.

If you don’t use Java, or can live without it until a fix is made available, you can disable it completely in your operating system. However, this is overkill.

Attacks exploiting this vulnerability are much more likely to appear on compromised and nefarious web sites. Navigating your web browser to such a site will almost certainly infect your computer with some kind of malware. Savvy web users already know that care should be exercised when web browsing at any time, but until this security hole is fixed, blindly clicking on web links and browsing to unknown web sites is going to be like playing Russian Roulette. Because of this, many security experts are recommending disabling Java in web browsers, until the flaw is patched.

Here are some more technical details from CERT.

Additional related articles

About jrivett

Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

2 thoughts on “New Java vulnerability likely to remain unpatched until October 2012”

Leave a Reply

Your email address will not be published. Required fields are marked *