Up until Sunday, January 13th, there was an unpatched zero day in Java 7u10 being actively exploited in the wild. The interesting (and frightening!) part about this that due to the nature of Java, it was possible to make the malware work on Windows, Linux, and Unix systems. While Mac OS X wasn’t targeted, there doesn’t seem to be much in the way of taking that next step since OS X is similar to Unix and Java is, of course, cross platform.
Despite that, Apple took steps to disable vulnerable versions of Java and many organizations released advisories to disable Java.
Recommendation #1 The most exposure to the issue comes via the browser, so the first recommendation is to disable Java in all installed browsers.
Recommendation #2 The second recommendation is to increase Java’s security level in the Security section of the Java control panel to “High” or “Very high.” This will prompt the user to run code that is either unsigned- or all code regardless of signature- respectively.
Recommendation #3 On Sunday, a patch was released. All users should update to u11 in order to address the issue. It’s also not a bad idea to keep Java disabled and the security level elevated, as this isn’t the first such issue for Java in the past few months… and is probably not going to be the last! According to rapid7’s H.D. Moore, it could take Oracle as long as 2 years to fix the existing issues in Java, and that estimate is if nothing new is discovered in the mean time. "The safest thing to do at this point is just assume that Java is always going to be vulnerable," Moore said. Moore further stated: "Folks don't really need Java on their desktop. The amount of utility it offers is so much smaller than the risk it creates for users. It’s much safer to leave it off.” It seems malware writers are set on writing cross-platform code to cast their nets as wide as possible now. Exploit Update: Just days after Oracle released their patch, a new vulnerability is now being sold on the "black market" with bids starting at $5K! Stay tuned for more details as we follow the story!
Sources
- http://www.cbsnews.com/8301-205_162-57563671/new-malware-exploiting-java-7-in-windows-unix-systems/
- http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
- http://www.networkworld.com/community/node/82135
- http://www.forbes.com/sites/andygreenberg/2013/01/13/forget-oracles-latest-java-patch-just-kill-the-program-in-your-browser-for-good/
- http://developers.slashdot.org/story/13/01/16/236215/another-java-exploit-for-sale
