You’ve probably heard the latest hype about the new Java vulnerability. Actually, the vulnerability is in the JRE (a client-side portion of Java which allows browsers to run Java applets and Java Web Start applications). And more specifically, the method used to exploit this vulnerability was introduced in Java 7, so therefore Java 6 is not affected .
Many sites use Java on the server side, but these vulnerabilities are only on the client side; exploited by either tricking a user in to visiting a malicious site (you don’t click any old link you receive in an email, right?) or a site you visit that has been compromised and code injected into their page. In that way, this type of vulnerability is similar to one with Internet Explorer which was addressed by an out of cycle patch yesterday (Jan 14). I strongly recommend you update Internet Explorer as well.
The first step is to see if you have a vulnerable version of Java installed (or any version) and to check your web browser’s permissions.
You can visit this web page to test whether Java is working on your computer:
- If it says “Something is wrong. Java is not working.”, then you either don’t have Java installed or it is completely disabled in your browser. You are not vulnerable, but if you have Java 7 installed, you should still update to the latest version of the JRE (in case you enable it in the future).
- If your browser prompts you before allowing you to run the Plug-in, you are well on your way. If you visit a site with a malicious applet, you will also be prompted before it runs. Only allow plug-ins to run on sites you trust and know require an applet to function properly. Allow the plug-in to run in order to see what version of Java you are using.
- If the page says you are running Java 7 (it may show Java SE 7), you should update to the latest version of the JRE.
The highest risk situation is when you are running Java 7 and were not prompted before running the plug-in. You should both update Java and correct your browser security settings as soon as possible.
One recommendation is to disable Java in your browser all together. This is one possible solution, but you may not be able to use some websites properly afterwards. If you know you don’t use Java applets, feel free to disable it in your browser all together. You can always re-enable it if a website you use does not work properly.
To help avoid having to disable Java altogether, the latest Java version changes the Java Security Level setting from “Medium” to “High”. “High” forces the user to always be prompted before any unsigned Java applet or Java Web Start application is run . This is useful on its own, as you will need to confirm you’d like to run the applet. If it is a site you haven’t been to before, you may chose not to run it. If it is a site you trust and know that it uses a Java applet that you have used before, you may be safe to allow it.
Like the Java vulnerability, the Internet Explorer vulnerability has been exploited in the wild – so you should update both as soon as possible.
You should always remember that all software contains bugs, some known and some unknown. You should always use safe web browsing practices such as: being prompted to allow a Java applet, Flash plug-in to run, open a PDF document, etc, don’t click on links in emails you do not trust (or never, just copy the URL and paste it into your browser). Also, this Java vulnerability allows an attacker to execute arbitrary code on a vulnerable system. But if you are not using a privileged account (Administrator), it will limit the impact such an attack can have on your system.
Please share this content with your colleagues to make sure they are aware of these vulnerabilities!