Major Java 7 Vulnerability in the Wild – Update Now
January 19th, 2013
A little over a week ago, word spread on the Internet that a previously unknown security flaw in the Java browser plugin was being “massively exploited in the wild”. The bug allows an attacker to execute arbitrary commands on a vulnerable system. It exists in all versions of Java 7 through update 10, which was the latest release as of a week ago. Based on the widespread use of Java (installed on more than 1 billion PCs) many organizations, including the US government, recommended disabling Java in the browser, or uninstalling Java completely.
The real problem was not that a flaw was found, but that it was already in the wild and had infected a significant number of machines.
Oracle released an emergency patch within three days of the announcement: Java 7 Update 11. If you’ve not already done so, you should update your Java software—this can be done via the Java Control Panel, or via www.java.com. Developers who use the JDK can go to the Java download page to get the latest version. If you don’t know which version(s) of Java you have installed, this page will tell you.
Note that even with the update from Oracle, US-CERT still recommends disabling Java in browsers, to “defend against … future Java vulnerabilities.” Apparently optimism is not in their vocabulary.
Link #1 (announcement of flaw): http://arstechnica.com/…
Link #2 (announcement of update): http://arstechnica.com/…
Link #3 (govt advisory): http://www.us-cert.gov/…
Link #4 (oracle advisory): http://www.oracle.com/…
