There is a vulnerability in the Java 7 Update 10 that is allowing hackers to take unprecedented control over computers running that version of Java. This security lapse on the part of Oracle has left the worldwide Java community baffled to say the least. Why this has become a real potential threat is because it wasn’t Oracle who identified and released information about this first, it was – The U.S. Department of Homeland Security which issued a warning.
Oracle finally accepted there was a problem on their Facebook page and issued a statement saying they recognized the problem at hand and will provide a fix for it shortly.
Here’s the problem as explained by the U.S. Department of Homeland security –
The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems. OpenJDK is an open-source implementation of the Java platform, and the IcedTea project aims to make it easier to deploy OpenJDK, including a web browser plugin.The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle’s document states, “If there is a security manager already installed, this method first calls the security manager’s checkPermission method with aRuntimePermission("setSecurityManager") permission to ensure it’s safe to replace the existing security manager. This may result in throwing a SecurityException".
By leveraging a vulnerability in the Java Management Extensions (JMX) MBean components, unprivileged Java code can access restricted classes. By using that vulnerability in conjunction with a second vulnerability involving recursive use of the Reflection API via the invokeWithArguments method of the MethodHandle class, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently IcedTea, are also affected. The invokeWithArguments method was introduced with Java 7, so therefore Java 6 is not affected.
This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available. We have confirmed that Oracle Java 7 installed on Windows, OS X, and Linux platforms are affected. Other platforms that use Oracle Java 7 may also be affected.
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability.
This was last week, and since then Oracle have provided an update – the Java 7 update 11. But there are reports that this vulnerability has been effecting all updates of Java 7 starting from the very first, we therefore request users to uninstall Java 7 and roll back to Java 6 for the time being.
End User Warning : This is a serious issue and should not be ignored, especially because Java experts from around the world are urging users to uninstall Java 7 until Oracle confirms a permanent fix instead of a dummy update.