Sunday, January 13, 2013

Patch for recent Java 0-day vulnerability to come out 'shortly'

Even though I didn't cover this (it would give me a reason to talk about why I run Linux again), I am covering it now. A few days ago there was a 0-day vulnerability found in all versions of Java, even the most up to date version. The hole found could allow an attacker to execute remote code on a victim's machine, all from visiting a specially crafted HTML webpage.

In a race to protect it's users Mozilla black listed the most recent versions of Java, including the most recent, update 10. Older versions of Java are already disabled due to other vulnerabilities found. Apple also moved to block Java 7 for the more recent versions of OS X.

Apparently the update must be that serious, because the United States government stepped in telling all users to disable Java until a patch is released. Now it should be noted that you might not have to uninstall Java completely from your system, unless you don't need it all. You could solve your issue by disabling the Java browser plugin. In this case a java applet would have to be executed manually for any payload to occur.

Now usually I don't pay much attention to these 'frenzies' because I do run Linux and don't see much of a need to worry about issues or exploits, but I just wanted to get the word out, just in case. Oracle has said that they acknowledge the issue, and that should have a patch out 'shortly'. Just how short will the wait be, though?