Update: Oracle has released an emergency patch after stating they weren’t breaking their cycle. Download the Java 7 security patch here: http://reviews.cnet.com/8301-13727_7-57503787-263/oracle-patches-java-7-vulnerability/
If you haven’t heard the news recently, then you should probably take a minute to read this and find out if you’re at risk from the latest security vulnerability found in Java 7 update 6. This is known as the zero-day vulnerability and is considered to be an “extremely critical” Java vulnerability by Secunia.
Java’s latest release had quite a few vulnerabilities. 19 vulnerabilities to be exact, with the zero-day vulnerability being one of them. Oracle is saying it was aware of the vulnerabilities the whole time, but isn’t going to release anything until their next scheduled patch release, which is in October. You can read more about Oracle’s claims, here.
From what I’ve been able to find out, this vulnerability put’s anyone at risk who is using Java 7 along with Internet Explorer, Google Chrome, FireFox and Safari. Don’t expect to be safe if you’re on a Mac either. It’s been confirmed that anyone with a Mac that has Java 7 installed, is susceptible to the same attack as a Windows users. If exploited, the attacker could run a Trojan known as “Poison Ivy” to attack the computer without any knowledge or required permissions. A quote from Carsten Eiram, Chief Security Specialist at vulnerability management firm Secunia, “This vulnerability is not a ‘memory corruption’ type vulnerability, but instead seems to be a security bypass issue that allows running untrusted code outside the sandbox without user interaction. In this specific case a file is downloaded and executed on the user’s system when just visiting a web page hosting a malicious applet.”
So how do you fix the zero-day Java 7 vulnerability? Well, there’s an unofficial patch, but I’d highly recommend uninstalling the latest update of Java from all of your computers until further notice from Oracle. It is safe to revert back to Java 6 as a replacement, but there’s a chance some of your newer programs or Internet browser plugins may break as a result, but it’s better to be safe and deal with it for the time being.
I am absolutely no Java expert, but I know my way around it and I know enough about cyber security to agree that this is big deal.
Although I have yet to hear anything back from Adobe on whether or not this also effects ColdFusion systems, I would have to imagine there’s always a possibility, especially with ColdFusion running on top of Java. I would not be surprised to hear that there is no greater risk to systems utilizing ColdFusion though. In case you’re wondering, ColdFusion 9 and 10 should or at least will be able to run on Java 7.
Please let me know what you and/or your company is planning to do about this security issue if anything at all. I’ve already heard reports from multiple companies taking action throughout the nation to protect their servers and employee computers.
I’d love to hear about any other updates, so if you’ve heard something that I haven’t or if you need to clarify on something I wrote, be sure to leave me a comment or contact me so I can update the post and spread the word.
Here are some additional resources:
- ZERO-DAY SEASON IS NOT OVER YET
- Java Flaw Puts Millions Of Windows And Mac Users At Risk
- Attackers Pounce on Zero-Day Java Exploit
- National Vulnerability Database – Vulnerability Summary for CVE-2012-4681 (Java 7 Update 6 vulnerability)