Zero-Day: Inside the Latest Java Exploit
You may have heard that this past week, a zero-day security flaw was uncovered in the recently released Java SE 7 update 6. According to FireEye Malware Intelligence Lab, the Java plugin (part of the Java runtime that allows Java binary code to execute within the browser regardless of OS) had a flaw that could allow a malicious hacker to install software on your computer, effectively taking control. First, what exactly is a "zero-day" flaw?
We've all seen the media report "zero-day" attacks or flaws in urgent articles or blogs, and the title alone is enough to alarm you. What it means exactly is that the risk is real and was already present when the security hole was found. So, it's simply another way of say "We've found a security hole in the existing release you're using." This is as opposed to a virus or worm that's set to deliver its payload on an advertised date, at some point in the future. A zero-day vulnerability is present now, whether anyone (even the "bad guys") knows it or not.
Although they run the risk of notifying the "bad guys" of the vulnerability also, security firms often publish their zero-day findings to the public in the hopes that this will motivate developers to create a fix sooner rather than later. In most cases, as with the latest Java SE 7 update, a fix is released very soon after.
Java 7 Update 6 Zero-Day Vulnerability
When the media reported the zero-day flaw in Java SE 7 earlier this week, some reports recommended that you disable Java in your browser. However, in my opinion that's heavy-handed, and probably not necessary. First, this flaw can only be exploited by a malicious web site that targets it specifically. Your first line of defense is to avoid those sites at all costs — a Java security flaw is only one of many risks you take if you visit such a site. Even with a secure version of Java, you're probably still at risk for infection when visiting a malicious site. Although, I do agree that caution should always be taken when known vulnerabilities in your platform exist, because you may not realize which sites are malicious in the first place.
The zero-day flaw in Java SE 7 update 6 exists on Windows, Mac OS X, and Linux, across all browsers. FireEye noted that visiting a site that exploits this flaw can install a "dropper" application on your local filesystem and execute that application, which in turn communicates back to its home base to take control of the host system (your computer). What badness it does from there is up to the hackers, but it's certainly not something you want on your computer.
Java SE 7 Update 7
Oracle moved quickly and released a patch to this zero-day flaw. It's highly recommended that you download and install Java SE 7 update 7, regardless of OS, which you can find on Oracle's site here. Developers should download the full JDK (which includes the updated JRE with browser Java plugin), while most users are fine with the latest JRE (same version).
Mac users: After installing the update 7 be sure to open Java Preferences, found in Applications/Utilities, and enable the latest update. To do so, click on the "Version" column for the Java SE 7 entry in the list and then choose "1.7.0-07" from the list that appears (see screen shot below). You may need to scroll the list to see the latest update. That's it; you're now using the latest and safest (hopefully) version of Java SE 7.