Channels ▼

Eric Bruno

Dr. Dobb's Bloggers

Zero-Day: Inside the Latest Java Exploit

September 10, 2012

You may have heard that this past week, a zero-day security flaw was uncovered in the recently released Java SE 7 update 6. According to FireEye Malware Intelligence Lab, the Java plugin (part of the Java runtime that allows Java binary code to execute within the browser regardless of OS) had a flaw that could allow a malicious hacker to install software on your computer, effectively taking control. First, what exactly is a "zero-day" flaw?

Zero-Day Attack

We've all seen the media report "zero-day" attacks or flaws in urgent articles or blogs, and the title alone is enough to alarm you. What it means exactly is that the risk is real and was already present when the security hole was found. So, it's simply another way of say "We've found a security hole in the existing release you're using." This is as opposed to a virus or worm that's set to deliver its payload on an advertised date, at some point in the future. A zero-day vulnerability is present now, whether anyone (even the "bad guys") knows it or not.

Although they run the risk of notifying the "bad guys" of the vulnerability also, security firms often publish their zero-day findings to the public in the hopes that this will motivate developers to create a fix sooner rather than later. In most cases, as with the latest Java SE 7 update, a fix is released very soon after.

Java 7 Update 6 Zero-Day Vulnerability

When the media reported the zero-day flaw in Java SE 7 earlier this week, some reports recommended that you disable Java in your browser. However, in my opinion that's heavy-handed, and probably not necessary. First, this flaw can only be exploited by a malicious web site that targets it specifically. Your first line of defense is to avoid those sites at all costs — a Java security flaw is only one of many risks you take if you visit such a site. Even with a secure version of Java, you're probably still at risk for infection when visiting a malicious site. Although, I do agree that caution should always be taken when known vulnerabilities in your platform exist, because you may not realize which sites are malicious in the first place.

The zero-day flaw in Java SE 7 update 6 exists on Windows, Mac OS X, and Linux, across all browsers. FireEye noted that visiting a site that exploits this flaw can install a "dropper" application on your local filesystem and execute that application, which in turn communicates back to its home base to take control of the host system (your computer). What badness it does from there is up to the hackers, but it's certainly not something you want on your computer.

Java SE 7 Update 7

Oracle moved quickly and released a patch to this zero-day flaw. It's highly recommended that you download and install Java SE 7 update 7, regardless of OS, which you can find on Oracle's site here. Developers should download the full JDK (which includes the updated JRE with browser Java plugin), while most users are fine with the latest JRE (same version).

Mac users: After installing the update 7 be sure to open Java Preferences, found in Applications/Utilities, and enable the latest update. To do so, click on the "Version" column for the Java SE 7 entry in the list and then choose "1.7.0-07" from the list that appears (see screen shot below). You may need to scroll the list to see the latest update. That's it; you're now using the latest and safest (hopefully) version of Java SE 7.

Screen

Happy coding!
-EJB

Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 


Video