Advice Regarding Recent Java Vulnerabilities

Wednesday, October 17, 2012

Fergal Glynn


Article by Zach Lanier

By now, our readers have undoubtedly seen the buzz about a serious security vulnerability in Oracle Java, with corresponding exploit code making its way around (in the form of active, in-the-wild attack campaigns, as well as penetration testing tools).

If you haven’t, the gist is that, due to an issue in the way access control permissions are checked in Java, it is possible for an applet to effectively grant itself full permissions, including the ability to execute commands *outside* of the Java sandbox (an operation that is, of course, typically limited).

For those interested, Immunity, Inc., posted an excellent, detailed technical write up (as well as some follow-up information about what else was patched in the recent Java update).

To ensure that Veracode customers can continue to use our platform while managing risk from this and other vulnerabilities in the Java Runtime, we’ve assembled a few pieces of guidance.

First, we recommend that customers apply the recently released Java updates (v 1.7.0_07 and 1.6.0_35) from Oracle, based on their recent blog post, release notes and advisory. For those not using the Java updater tool, the JRE and JDK updates can be downloaded directly, and additional information on how to update is available at

Second, a few browser-related suggestions for managing this and future Java issues:

For customers running Firefox, newer versions will, by default, block outdated Java plug-ins from running, though applets may still run if the installed JRE version is not blocklisted. We recommend Firefox users also install the NoScript add-on, which will provide, among other things, the ability to enable Java per-site (such as the Veracode platform site).

For Chrome users, most plug-ins, including Java, are set by default to be “click-to-play“, meaning that when they’re included in a page, running them requires user intervention. We recommend leaving “click-to-play” as the chosen option for this setting.

For Internet Explorer users, it’s a bit trickier. As IE handles OBJECT and APPLET elements differently (with regard to security controls), and as there’s not an entirely straightforward way to enable Java per-site (see previously linked article), we recommend IE users disable Java entirely, enabling only as needed, or use an alternate browser for sites requiring Java.

Cross-posted from Veracode

Possibly Related Articles:
Java Oracle Vulnerabilities Exploits
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.