Oracle Java 7 Security Manager Bypass Vulnerability
Any system using Oracle Java 7 (1.7, 1.7.0) including
- Java Platform Standard Edition 7 (Java SE 7)
- Java SE Development Kit (JDK 7)
- Java SE Runtime Environment (JRE 7)
- OpenJDK 7 and 7u
IcedTea 2.3.0 (based on OpenJDK 7) is also affected.
Web browsers using the Java 7 plug-in are at high risk.
A vulnerability in the way Java 7 restricts the permissions of Java applets could allow an attacker to execute arbitrary commands on a vulnerable system.
A vulnerability in the Java Security Manager allows a Java applet to grant itself permission to execute arbitrary code. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious applet.
Any web browser using the Java 7 plug-in is affected. The Java Deployment Toolkit plug-in and Java Web Start can also be used as attack vectors.
Reports indicate this vulnerability is being actively exploited, and exploit code is publicly available.
Further technical details are available in Vulnerability Note VU#636312.
By convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process.
This and other vulnerabilities are addressed by Java 7 Update 7. Please see Oracle Security Alert for CVE-2012-4681 for more information.
This vulnerability is addressed in IcedTea 2.3.1.
Reports indicate that other vulnerabilities remain after updating Java to Update 7.
Disable the Java plug-in, Java Deployment Toolkit, and Java Web Start functionality
To protect against this and future vulnerabilities, consider disabling the Java plug-in, Java Deployment Toolkit, and Java Web Start functionality. There are multiple ways to invoke Java in different web browsers and operating systems, and it can be difficult to completely disable browser support for Java. Check the Solution section of VU#636312 for up-to-date information.
Here are instructions for several common web browsers. Take care to disable both the Java and Java Deployment Toolkit plug-ins and, if necessary, disable Java Web Start by breaking JNLP handling.
- Apple Safari: How to disable the Java web plug-in in Safari, disable "Open 'safe' files after downloading"
- Mozilla Firefox: How to turn off Java applets
- Google Chrome: See the "Disable specific plug-ins" section of the Chrome plug-ins documentation.
- Microsoft Internet Explorer: Disabling Java in Internet Explorer is significantly more complicated than with other browsers. Please see the instructions in VU#636312.
Downgrade to Java 6
Consider uninstalling Java 7 and using Java 6.
NoScript is a browser extension for Mozilla Firefox browsers that provides options to block Java applets.
August 27, 2012: Initial release|August 28, 2012: Updated|September 05, 2012: Updated