Disable Java NOW, users told, as 0-day exploit hits web

[Ink]

A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild – and because of Oracle's Java patch schedule, it may be some time before a fix becomes widely available.

The vulnerability is present in the Java Runtime Environment (JRE) version 1.7 or later, Atif Mushtaq of security firm FireEye reported on Sunday, while PCs with Java versions 1.6 or earlier installed are not at risk.

http://www.theregister.co.uk/2012/08/27/disable_java_to_block_exploit/

When notable exploits began appearing for past versions of Java that Apple supported, the company took very basic but effective measures at tackling the issues, with the predominant one being to automatically disable the Java browser plug-in for systems that do not regularly use it. Unfortunately, Oracle's Java runtime does not support these security measures, so as long as it is installed it will remain active by default.

Unfortunately, even with this vulnerability being exploited, Oracle updates Java on a quarterly basis so unless the company breaks this schedule (a rarity) to address this issue, then users have to wait until October to receive a patch. Some third-party have developed their own patches for the runtime, but are only issuing them to specific organizations that have special needs for them.

As a result, if you have Java 7 installed on your system then the only effective means of closing this vulnerability is to disable the Java plug-in or remove the Java runtime altogether.

http://reviews.cnet.com/8301-13727_7-57501517-263/new-java-7-exploit-can-potentially-affect-macs/

Several security firms advised users to immediately disable Java software -- installed in some form on the vast majority of personal computers around the world -- in their Internet browsers. Oracle says that Java sits on 97 percent of enterprise desktops.

http://articles.chicagotribune.com/2012-08-27/business/sns-rt-cybersecurity-javal1e8jri85-20120827_1_security-firms-hackers-internet-browsers

 

[Gnosis]

Wow. I swear I just recently torched it, like within the last month. So glad................

 

[MrXidus]

Oh boy, I just made a post in another thread relating to Java and this backs it up completely.

 

[Plexx]

Some sites I require for Work purposes unfortunately requires Java, so I have no option but to have it on. What I do however is having it on a clean VM I use for browsing, so it should be ok I suppose.

Java was removed awhile ago from my host due to a faulty upgrade and ever since then I forgot to install it

Guess I won't be installing it on my host any time soon.

 

[Malware1]

Sample uploaded