Java 7 Security Manager Bypass Vulnerability

The United States Computer Emergency Readiness Team (US-CERT) has issued a warning that hackers have figured out how to exploit Java vulnerabilities to install malicious software enabling them to commit crimes ranging from identity theft to making an infected computer part of an ad-hoc network of computers that can be used to attack websites. This is particularly bad news for wireless sensor network researchers that have many applications and simulations with Java development kit like VisualSense and a host of others.

“We are currently unaware of a practical solution to this problem,” the Department of Homeland Security’s Computer Emergency Readiness Team said in a posting on its websites.

The systems affected according to the news are:

Any system using Oracle Java 7 (1.7, 1.7.0) including

• Java Platform Standard Edition 7 (Java SE 7)

• Java SE Development Kit (JDK 7)

• Java SE Runtime Environment (JRE 7)

All versions of Java 7 through update 10 are affected. Web browsers using the Java 7 plug-in are at high risk.

The overview of the problem according to the Team is that vulnerability in the way Java 7 restricts the permissions of Java applets could allow an attacker to execute arbitrary commands on a vulnerable system. It therefore means that Vulnerability in the Java Security Manager allows a Java applet to grant itself permission to execute arbitrary code. The problem with this is that an intruder could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate web site and upload a malicious Java applet known as a “drive-by download” attack.

The warning by US-CERT further states that any web browser using the Java 7 plug-in is affected and warned that the Java Deployment Toolkit plug-in and Java Web Start can also be used as attack vectors.

Reports indicate this vulnerability is being actively exploited, and exploit code is publicly available, giving a serious impact by convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process.

According to the report, consumers should temporarily disable Java in web browsers until Oracle fixes the problem since this and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. It advice that to defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment. Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. For installations where the highest level of security is required, it is possible to entirely prevent any Java apps (signed or unsigned) from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab.