New Java Exploit Puts 1 Billion Computers at Risk
CREDIT: Steve Cukrov/Shutterstock.com
A new zero-day exploit in multiple versions of Java puts roughly 1 billion users at risk to attackers and malicious code.
The flaw was discovered by researchers at Poland's Security Explorations, a security firm that already has a known penchant for unearthing flaws in Java's notoriously buggy programming language.
In April, the security firm found another zero-day Java exploit that affected only Java 7, which wasn't made public until August. This latest flaw is worse in that it leaves all supported versions of Java (Java 5, 6 and 7) on most desktop platforms (Windows, Mac, Linux and Solaris) vulnerable to criminals.
Security experts had previously advised Java users to downgrade to Java 6 to avoid the previous flaw, but that will no longer protect computers from attack.
The exploit works in all major browsers, including Internet Explorer, Safari, Firefox, Chrome and Opera. Mac users of Lion or Mountain Lion who installed Java after purchase are also vulnerable. (Apple stopped bundling Java into its operating system after Snow Leopard, Mac OS X 10.6.)
Security Explorations CEO Adam Gowdiak, who went public with the vulnerability yesterday (Sept. 25), said it works by achieving "a complete Java security sandbox bypass."
Sandboxing is a mechanism that runs programs in an isolated environment with limited access to other programs and to the computer's sensitive files and code to prevent a potentially corrupt program from infecting the entire machine.
The Polish security firm's exploit discovery last month prompted Oracle, the owners of Java, to issue a once-in-a-blue-moon "out-of-band" security patch on Aug. 30. The next one is scheduled to be pushed out Oct. 16, the soonest Java users should expect to see this new hole plugged.
After the previous Java exploit was disclosed in August, leading to a wave of attacks, Security Explorations claimed that they had discovered the same security hole months before and warned Oracle about it, Sophos' Naked Security blog reported.
Oracle failed to address the issue quickly and when they did, Security Explorations demonstrated that the "rushed patch" could still be overcome.
When Web browsing first became widely adopted by the public, getting around without Java would have been difficult. Now, many people don't even know whether Java runs on their browser or not.
To find out, you'll need to check your settings. On PCs, Java settings are found under the Control Panel. For Macs, they're under Utilities.
To see whether you even need Java, try disabling it entirely. If it doesn't disrupt your computer usage, leave it off; if it does, you can always turn it back on. (You can check to see if your browser is running Java by visiting Oracle's website.)
Another way to mitigate your risk is to keep Java plug-ins running only on a browser you rarely use. When you need it for online use, use that browser; when you don't, stick with your regular one.
Developed by Sun Microsystems as a self-contained platform and programming language in 1995, Java let users and organizations run programs across a variety of operating systems without glitches or corruption.
But as competing technologies such as Macromedia (later Adobe) Flash and Shockwave were adopted, Java became less ubiquitous. (Oracle bought Sun in 2009.)
With the current, but slow, rollout of the HTML 5 Web standard, which supports all manner of audio, video and other user interactivity directly in the browser, Java and Flash are likely to soon be obsolete.