by Josh Kirschner for Techlicious
Critical Java Security Risk Requires Immediate Action
Security experts have identified a serious security flaw in Java that allows hackers to execute almost any type of malicious activity on affected computers, whether Windows, OSX or Linux. Worse, this flaw was identified because it has already been integrated into commonly used commercial hacking software.
According to the Computer Emergency Response Team at Carnegie Mellon University:
This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available. We have confirmed that Windows, OS X, and Linux platforms are affected. Other platforms that use Oracle Java 7 may also be affected.
We are recommending that everyone, whether you use a Mac or Windows PC, follow the steps below to protect yourself immediately.
UPDATE 1/14/13: Oracle released a patch, Java Version 7 Update 11, to address the security hole and change the default security setting in Java to “High”, requiring users to confirm an applet is safe before running. However, our advice remains the same—all users should disable or uninstall Java as soon as possible unless you require it to run a specific application. Java has been a constant source of security exploits and there is no guarantee that the current fix actually fixes the problem (this issue was supposed to have been fixed with a patch released back in August). And, while the security setting change is welcome, many users are too accustomed to hitting the “confirm” button to run applications without really considering the potential risk, or they may easily be tricked into thinking an application is safe when it really is not.
Who is impacted by the Java security flaw?
Anyone who has Java Version 7 installed is vulnerable to being exploited. According to Oracle, the makers of Java, Java is installed on as many as 850 million personal computers worldwide.
Some reports have suggested that earlier versions of Java may be impacted as well. However, the well-respected security expert Brian Krebs says this is not the case. Until this question is resolved, it is safest to assume that all versions of Java could be vulnerable.
Some sites have suggested that Mac users may be protected with a security update Apple released on Friday to block Java applets. However, if you do not have automatic updates turned on or the fix turns out not to be complete, you may still be at risk.
Victims can be infected when they visit a compromised website and load a malicious Java applet. Depending on your browser settings, you may or may not see the option to block the applet before loading. Since any website with poor security can be compromised by hackers, don’t assume that a site is safe just because it is “legitimate.”
This excerpt appears with the permission of Techlicious.