New Java 7 bug prompts calls for web users to axe plug-in

11 Jan, 2013

Computer users ordered to uninstall or disable Java 7 until Oracle patches latest vulnerability.

PC and Mac users must disable Java in their web browsers following the discovery of another zero-day vulnerability that is reportedly being used by hackers to take over people’s computers.

The stark warning was made by the US government’s Computer Emergency Readiness Team (CERT) yesterday in an alert, which claims that all browsers using the Java 7 plug-in are at risk.

The group warned that the Java Deployment Tookit plug-in and Java Web Start can also be used by hackers to attack vulnerable systems.

Everyone running an updated version of Java is at risk right now, until Oracle releases a patch.

“Reports indicate this vulnerability is being actively exploited, and exploit code is publicly available,” the US CERT advisory stated.

The vulnerability is understood to affect the Java Security Manager, allowing applets to grant themselves permission to execute arbitrary code.

“An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet,” the alert added.

“An attacker could also compromise a legitimate website and upload a malicious Java applet [known as a ‘drive-by download’ attack.”

The organisation is urging computer users to disable or uninstall Java in their web browsers, and not to access Java applets from unknown sources, in a further advisory document.

It also claims users could mitigate the risk by using one browser for tasks that require Java.

“If you use a website that requires Java, choose and configure a browser to have Java enabled, and only access that resource with that browser,” it stated.

“This helps minimise the exposure of Java to untrusted websites,” it added.

Jaime Blasco, head of labs at security vendor AlienVault, said the zero-day vulnerability is similar to the ones that blighted web users last August.

“Everyone running an updated version of Java in Windows and probably in Mac OS X is at risk right now, until Oracle releases a patch,” Blasco added.