http://www.cbsnews.com/8301-205_162-...java-software/


WASHINGTON The U.S. Department of Homeland Security is advising people to temporarily disable the Java software on their computers to avoid potential hacking attacks.

The recommendation came in an advisory issued late Thursday, following up on concerns raised by computer security experts.

• Read the US-CERT release concerning Java

Experts believe hackers have found a flaw in Java's coding that creates an opening for criminal activity and other high-tech mischief.

CNET's Topher Kessler writes:

"The malware has currently been seen attacking Windows, Linux and Unix systems, and while so far has not focused on OS X, may be able to do so given OS X is largely similar to Unix and Java is cross-platform.

Even though the exploit has not been seen in OS X, Apple has taken steps to block it by issuing an update to its built-in XProtect system to block the current version of the Java 7 runtime and require users install an as of yet unreleased version of the Java runtime.

Luckily with the latest versions of Java, users who need to keep it active can change a couple of settings to help secure their systems. Go to the Java Control Panel that is installed along with the runtime, and in the Security section uncheck the option to "Enable Java content in the browser," which will disable the browser plug-in. This will prevent the inadvertent execution of exploits that may be stumbled upon when browsing the Web, and is a recommended setting for most people to do. If you need to see a Java applet on the Web, then you can always temporarily re-enable the plug-in.

The second setting is to increase the security level of the Java runtime, which can also be done in the same Security section of the Java Control Panel. The default security level is Medium, but you can increase this to High or Very High. At the High level, Java will prompt you for approval before running any unsigned Java code, and at the Very High level all Java code will require such approval, regardless of whether or not it is signed."

Java is a widely used technical language that allows computer programmers to write a wide variety of Internet applications and other software programs that can run on just about any computer's operating system.

Oracle Corp. bought Java as part of a $7.3 billion acquisition of the software's creator, Sun Microsystems, in 2010.

Oracle, which is based in Redwood Shores, Calif., had no immediate comment late Friday.

Systems Affected

Any system using Oracle Java 7 (1.7, 1.7.0) including

• JavaPlatform Standard Edition 7 (Java SE 7)
• Java SE Development Kit (JDK7)
• Java SE Runtime Environment (JRE 7)

All versions of Java7 through update 10 are affected. Web browsers using the Java 7 plug-inare at high risk.
Overview

A vulnerability in the way Java 7 restricts the permissions of Java appletscould allow an attacker to execute arbitrary commands on a vulnerablesystem.
Description

A vulnerability in the Java Security Manager allows a Java applet to gran****elf permission to execute arbitrary code. An attacker could use socialengineering techniques to entice a user to visit a link to a website hosting amalicious Java applet. An attacker could also compromise a legitimate web siteand upload a malicious Java applet (a "drive-by download"attack).
Any web browser using the Java 7 plug-in is affected. The JavaDeployment Toolkit plug-in and Java Web Start can also be used as attackvectors.
Reports indicate this vulnerability is being actively exploited,and exploit code is publicly available.
Further technical details areavailable in Vulnerability Note VU#625617.
Impact

By convincing a user to load a malicious Java applet or Java NetworkLaunching Protocol (JNLP) file, an attacker could execute arbitrary code on avulnerable system with the privileges of the Java plug-in process.
Solution

Disable Java in web browsers
This and previous Javavulnerabilities have been widely targeted by attackers, and new Javavulnerabilities are likely to be discovered. To defend against this and futureJava vulnerabilities, consider disabling Java in web browsers until adequateupdates are available. As with any software, unnecessary features should bedisabled or removed as appropriate for your environment.
Starting withJava 7 Update 10, it is possible to disable Java content in web browsers throughthe Java control panel applet. From Settingthe Security Level of the Java Client:
Forinstallations where the highest level of security is required, it is possible toentirely prevent any Java apps (signed or unsigned) from running in abrowser by de-selecting Enable Java content in the browser in the JavaControl Panel under the Security tab.
If you are unable to updateto Java 7 Update 10 please see the solution section of Vulnerability Note VU#636312 forinstructions on how to disable Java on a per-browser basis.
References

• Vulnerability Note VU#625617
• Setting the Security Level of the Java Client
• The Security Manager
• How to disable the Java web plug-in in Safari
• How to turn off Java applets
• NoScript
• Securing Your Web Browser
• Vulnerability Note VU#636312

Revision History

• January 10, 2013: Initial release
• January 11, 2013: Updated language about disabling Java in web browsers