Monday, January 14, 2013

Oracle has released Java 7 update 11, patching the recently discovered 0-day exploit

Since the announcement, and the post I did yesterday, Oracle has now pushed out an update to Java 7, dubbed update 11, that can be downloaded using your Java control panel or directly from Oracle's website. You can go ahead and click that link if you wish; it takes you to the Java download page.

If you look at the change log, this update to Java patches a few vulnerabilities. Oracle Security Alert for CVE-2013-0422 however says that update 11 only fixes 2 issues. There is also another change on top of that. The Java Security Level has been altered. The setting will now be bumped up from medium to high by default. What this means is that there will be a prompt before any kind of java applet runs, kind of like user account control. The purpose of that is to prevent any kind of drive-by download, Oracle explains.

This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the “High” setting the user is always warned before any unsigned application is run to prevent silent exploitation.
Turns out that the change really does make a difference. Security researcher Charlie Miller decided to put the change to the test, and this is what he found:
So, this is indeed a big change. It is just about effectively stopping Java drive by exploits, unless hackers figure out how to bypass the security policy, or if a user disables it (which is a BIG no no).

Now I don't want to plug Chrome here, and I'm sure there is a similar way to do this in Firefox, but I recommend you enable Chrome's click to play feature if you use Google Chrome or Chromium as your web browser. What it does is make any plugin have to be ran manually by the user by clicking over the space where the plugin was intended to run. However if you use a website such as Pandora, which plugs flash in the background to handle the actual audio stream, you can click on an icon in the omnibox to white list the entire website, so the background flash embed will run.

As for Firefox and Mac users, after you install the update you should be able to use Java as normal. They did disable Java to protect its users when this 0-day exploit initially blew up across the internet.

And for those who asked for more info on the exploit, the exploit was being used in the wild (so it was already being used), and was even being made available in common exploit kits used by malicious attackers. From that I can assume why everyone rushed to get the hole patched, as it was already being used.