Yet another Java flaw surfaces
A new Java vulnerability is currently being exploited to compromise PCs, according to various reports. Known as a "zero-day" because it involves a security vulnerability for which there are no patches available, the creators of at least two crimeware products have claimed that relevant code to exploit this flaw has already been incorporated into their products.
The problem appears to exist in all versions of Java 7, and was first verified by security firm AlienVault Labs, which successfully reproduced the problem in fully-patched versions of Java 7. This issue was separately confirmed by Secunia, who noted in an email to us that the flaw allows for the Java sandbox to be bypassed, and can be used to execute malicious code upon visiting a malicious site.
Both security firms are asking users to immediately disable the Java browser plugin, and only enable it for sites that require it. This is easier in recent versions of Java, due to the relevant settings found in the Java applet Windows Control Panel. "Users should remember to restart the browser when 'switching' Java On and Off," added Chaitanya Sharma, Advisory Team Lead at Secunia.
There is no official confirmation from Oracle (NASDAQ: ORCL), though there is a slim chance that it could already be addressed in next week's scheduled update. It is important to note that other than the Windows operating system, devices running on the Mac OS X and Linux could also be vulnerable. Indeed, the situation appears to be sufficiently serious to warrant an out-of-order update from Oracle.
- check out this blog at Krebs on Security