Update 1/13/2013: Oracle has just come up with a patch to fix this latest Java vulnerability. Get it here.
The U.S. Department of Homeland Security urged computer users to disable Oracle Corp’s Java software, amplifying security experts’ prior warnings to hundreds of millions of consumers and businesses that use it to surf the Web.
Hackers have figured out how to exploit Java to install malicious software enabling them to commit crimes ranging from identity theft to making an infected computer part of an ad-hoc network of computers that can be used to attack websites.
“We are currently unaware of a practical solution to this problem,” the Department of Homeland Security’s Computer Emergency Readiness Team said in a posting on its website late on Thursday.
“This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered,” the agency said. “To defend against this and future Java vulnerabilities, disable Java in Web browsers.”
Unfortunately, it is really the case to say that Java has “yet another zero-day exploit”.
The latest version of Java, v7 Update 10 is affected and currently there is no plan for a patch. The vulnerability which is already used in online attacks is a code injection onto a fully patched Windows system running the affected Java version. It is not known yet if other versions of Java are affected. In order to get affected, somebody has to visit a website running the exploit applet which performs the code injection.
Here you can test if you have Java active in your browser: http://java.com/en/download/installed.jsp
If in the meantime you re-activated the Java plugin in your browser since the last zero-day exploit at the end of August 2012, here is how to deactivate it again:
- Deactivate the Java plugin in Chrome
- Deactivate the Java plugin in Firefox
- Deactivate the Java plugin in Safari
- Deactivate the Java plugin in IE: it is very tricky. Don’t simply think that by deactivating the plugin in the Add-ons list of IE does the job, as anybody would expect. The best thing to do at the moment is to uninstall Java from your system through “Programs and Features” or “Add and Remove Programs”. Note that this will make Java unavailable for all browsers.
- Starting with Java v7 Update 10 there is a new security feature added to Java. You can disable Java through the Java Control Panel in all browsers. Here is a detailed how-to from Java.com.
Professor Randy says: Many people don’t even need to use Java. If you are running Java, please disable it now!