http://nakedsecurity.sophos.com/2012/08/28/unpatched-java-exploit-spreads-like-wildfire/
Unpatched Java exploit spreads like wildfire
by Chester Wisniewski on August 28, 2012 | Leave a comment
Filed Under: Featured, Malware, Vulnerability
Java logoWithin days of its discovery it appears that a new zero day flaw in Java could soon be in widespread use.
FireEye first reported on the flaw being used in a targeted attack originating from a Chinese web server. The web page hosting the exploit is timestamped August 22nd, 2012.
The flaw affects all versions of Oracle's Java 7 (version 1.7) on all supported platforms. Java 6 and earlier are unaffected. No patch is available at this time.
The next scheduled update for Java is October 16th, 2012. Oracle has a bad track record for releasing timely patches for Java exploits, but with all the attention this flaw is getting I would hope it would release an out of cycle fix if for no other reason than to save face.
Early reports suggested that Google Chrome was immune to the problem, but that appears to have been a bug in the attacker's code. The Metaploit project released proof of concept code that exploits the flaw on all browsers and operating systems (Windows, OS X, Linux).
I have been encouraging folks to remove Java if they can for years and this is just another reminder to do so. Unfortunately for many of us Java is a necessary evil.
I am a user of Libre/Open Office which requires Java, but there is a good solution to that problem. Disable the Java plugin in your favourite web browser.
Firewall configuration for JavaNeed to access intranet pages that require Java in your browser? Use your client firewall to disallow access to non-intranet resources for javaw.exe (on Windows).
Another solution is to surf the net using your favourite browser with Java disabled, and have an alternate browser available for the occasional site that needs it (Java is not JavaScript, you almost never need it).
Of course installing quality anti-malware software, firewalls and web filters provide a lot of protection as well.
http://www.h-online.com/security/news/item/Java-0Day-Turn-off-Java-applets-now-1678618.html
Java 0Day: Turn off Java applets now
No Java icon All versions of Java 7, including the current Java 7 update 6, are vulnerable to the hole that is already being exploited in the wild. With the publication of a vulnerability notice by the US-CERT and warningsGerman language link from the German BSI (Federal Office for Information Security), the best advice for all users is to disable Java applets in their browsers on all operating systems.
The vulnerability can be exploited when a user visits a specially crafted web site and can be used to infect a system with malware.
How to turn off Java applets
This article explains how to disable the Java plugin in Firefox so that Java applets no longer run.
Share this article: You can use the link http://mzl.la/MIMRTK to easily share this article with others.
https://support.google.com/chrome/bin/answer.py?hl=en-GB&hlrm=de&answer=142064
