Feds issue warning on Java security
By: Tal Kopan
January 12, 2013 12:11 PM EST
The U.S. Department of Homeland Security is recommending that Internet users disable Java in their Web browsers after pinpointing vulnerability in the Oracle software.
According to a Thursday afternoon post on the U.S. Computer Emergency Readiness Team’s website, Java 7 Update 10 and earlier could allow a remote user to “execute arbitrary code on vulnerable systems,” putting it at risk for malware. A cyberattacker could exploit the risk to either direct a user to visit a website that would download malicious software to their computer or to access a legitimate website and compromise it with a malicious applet (a “drive-by download”), CERT said.
The vulnerability is already being exploited, according to the post, and is reportedly being incorporated into publicly available exploit kits.
Oracle declined to comment on the warning.
CERT vulnerability analyst Will Dormann says the flaw could affect all of Java’s users, which, according to Oracle, reaches 1.1 billion.
“Some users may be running Java 6, which is unaffected by this vulnerability. However, Oracle has reported that it will be automatically updating Java 6 users to Java 7, starting in December 2012. So before long, that would mean that 1.1 billion desktop systems could be vulnerable, assuming that Oracle's numbers are correct,” Dormann said in an email to POLITICO.
Dormann said making matters worse is the fact that the vulnerability is true for most operating systems, including Windows, OS X and Linux, and browser-level protections will not work against it.
“When you combine these aspects together, you get a very attractive target for an attacker,” he said.
CERT says it recommends disabling Java altogether, as it is unaware of a solution to the issue.
The agency credited user Kafeine on the blog “Malware don’t need Coffee” for pointing out the flaw.