Alert

Oracle Java 7 Security Manager Bypass Vulnerability

Last Revised
Alert Code
TA12-240A

Systems Affected

Any system using Oracle Java 7 (1.7, 1.7.0) including

  • Java Platform Standard Edition 7 (Java SE 7)
  • Java SE Development Kit (JDK 7)
  • Java SE Runtime Environment (JRE 7)
  • OpenJDK 7 and 7u

IcedTea 2.3.0 (based on OpenJDK 7) is also affected.

Web browsers using the Java 7 plug-in are at high risk.

Overview

A vulnerability in the way Java 7 restricts the permissions of Java applets could allow an attacker to execute arbitrary commands on a vulnerable system.

A vulnerability in the Java Security Manager allows a Java applet to grant itself permission to execute arbitrary code. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious applet.

Any web browser using the Java 7 plug-in is affected. The Java Deployment Toolkit plug-in and Java Web Start can also be used as attack vectors.

Reports indicate this vulnerability is being actively exploited, and exploit code is publicly available.

Further technical details are available in Vulnerability Note VU#636312.

Impact

By convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process.

Solution

Update Java

This and other vulnerabilities are addressed by Java 7 Update 7. Please see Oracle Security Alert for CVE-2012-4681 for more information.

This vulnerability is addressed in IcedTea 2.3.1.

Reports indicate that other vulnerabilities remain after updating Java to Update 7.

Disable the Java plug-in, Java Deployment Toolkit, and Java Web Start functionality

To protect against this and future vulnerabilities, consider disabling the Java plug-in, Java Deployment Toolkit, and Java Web Start functionality. There are multiple ways to invoke Java in different web browsers and operating systems, and it can be difficult to completely disable browser support for Java. Check the Solution section of VU#636312 for up-to-date information.

Here are instructions for several common web browsers. Take care to disable both the Java and Java Deployment Toolkit plug-ins and, if necessary, disable Java Web Start by breaking JNLP handling.

Downgrade to Java 6

Consider uninstalling Java 7 and using Java 6.

Use NoScript

NoScript is a browser extension for Mozilla Firefox browsers that provides options to block Java applets.

References

Revisions

August 27, 2012: Initial release|August 28, 2012: Updated|September 05, 2012: Updated

This product is provided subject to this Notification and this Privacy & Use policy.