Time to disable Java AGAIN: 1 billion at risk from newest critical Java bug

Today on Full Disclosure mailing list, the Polish security firm Security Explorations announced another new critical Java flaw. This one is worse than the last Java zero-day since it affects all operating systems (Windows, Linux, Solaris, MacOS) that use Java 5, 6 or 7. The Java plugin can be exploited in Chrome, Firefox, IE, Safari and Opera browsers. One billion users are at risk, the security researchers warned.

Got Java? If so, then you might choke on it. Again. There's really bad news in the security world today as was declared on the Full Disclosure mailing list. Security Explorations, a Polish security firm, announced another new critical Java flaw that is worse than the last Java zero-day. This one affects Java 5, Java 6 and Java 7. In other words, the security researchers said it puts 1 billion users at risk! That number is slightly lower than what Oracle claims to be "1.1 billion desktops run Java."

Adam Gowdiak, CEO of Security Explorations, wrote:

The following Java SE versions were verified to be vulnerable:

- Java SE 5 Update 22 (build 1.5.0_22-b03)

- Java SE 6 Update 35 (build 1.6.0_35-b10)

- Java SE 7 Update 7  (build 1.7.0_07-b10)

All tests were successfully conducted in the environment of a fully patched Windows 7 32-bit system and with the following web browser applications:

- Firefox 15.0.1

- Google Chrome 21.0.1180.89

- Internet Explorer 9.0.8112.16421 (update 9.0.10)

- Opera 12.02 (build 1578)

- Safari 5.1.7 (7534.57.2)

Malicious hackers could craft an equally malicious page that could give the attackers complete control of the computer if users surf to a tainted site. In an interview with Computerworld about this newest Java flaw, Gowdiak said:

A malicious Java applet or application exploiting this new issue could run unrestricted in the context of a target Java process such as a web browser application. An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user.


All operating systems supported by Oracle Java SE (such as Windows, Linux, Solaris, MacOS) are vulnerable as long as they have Java 5, 6 or 7 installed and enabled.

Perhaps you disabled the Java browser plugin last month when the zero-day was actively being exploited in the wild? Oracle finally patched on August 30. Immediately afterwards, Security Explorations revealed another Java security flaw on August 31 that has yet to be patched; and now the firm has discovered the newest critical Java bug. In fact, this was the "anniversary" Java flaw discovery, listed under Issue 50 as a "complete Java security sandbox bypass."

If you've re-enabled Java, then it's time to disable it again. Disabling the Java plugin is what Security Explorations advised. But due to the continued critical flaws that would allow attackers to take control of PCs, it may be time to kick Java to the curb completely. Then you run into another set of aggravating issues of games or sites not running properly.

During the last huge Java hole floating around, Microsoft released "how to disable the Java web plug-in in Internet Explorer." However, as Brian Krebs pointed out, the US-CERT warned the steps "may or may not completely remove Java from IE." Krebs has a nice overview of how to unplug Java from browsers for Windows and Mac users.

As you undoubtedly know, Oracle is not exactly speedy about issuing fixes. However, as Gowdiak suggested, there's still hope for a fix on the horizon. The next Java Critical Patch Update is scheduled in October, giving Oracle three weeks to fix this critical flaw as well as the one discovered on August 31.

This latest Java vulnerability was disclosed just in time for the JavaOne 2012 conference in San Francisco that begins on Sunday, Sept 30. Gowdiak wrote on the SecLists Full Disclosure, "We hope that news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not gonna spoil the taste of Larry Ellison's morning Java."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2012 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.