U.S. Flag Official website of the Department of Homeland Security

Alert (TA12-240A)

Oracle Java 7 Security Manager Bypass Vulnerability

Original release date: August 27, 2012 | Last revised: January 23, 2013

Systems Affected

Any system using Oracle Java 7 (1.7, 1.7.0) including

  • Java Platform Standard Edition 7 (Java SE 7)
  • Java SE Development Kit (JDK 7)
  • Java SE Runtime Environment (JRE 7)
  • OpenJDK 7 and 7u

IcedTea 2.3.0 (based on OpenJDK 7) is also affected.

Web browsers using the Java 7 plug-in are at high risk.

Overview

A vulnerability in the way Java 7 restricts the permissions of Java applets could allow an attacker to execute arbitrary commands on a vulnerable system.

Description

A vulnerability in the Java Security Manager allows a Java applet to grant itself permission to execute arbitrary code. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious applet.

Any web browser using the Java 7 plug-in is affected. The Java Deployment Toolkit plug-in and Java Web Start can also be used as attack vectors.

Reports indicate this vulnerability is being actively exploited, and exploit code is publicly available.

Further technical details are available in Vulnerability Note VU#636312.

Impact

By convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process.

Solution

Update Java

This and other vulnerabilities are addressed by Java 7 Update 7. Please see Oracle Security Alert for CVE-2012-4681 for more information.

This vulnerability is addressed in IcedTea 2.3.1.

Reports indicate that other vulnerabilities remain after updating Java to Update 7.

Disable the Java plug-in, Java Deployment Toolkit, and Java Web Start functionality

To protect against this and future vulnerabilities, consider disabling the Java plug-in, Java Deployment Toolkit, and Java Web Start functionality. There are multiple ways to invoke Java in different web browsers and operating systems, and it can be difficult to completely disable browser support for Java. Check the Solution section of VU#636312 for up-to-date information.

Here are instructions for several common web browsers. Take care to disable both the Java and Java Deployment Toolkit plug-ins and, if necessary, disable Java Web Start by breaking JNLP handling.

Downgrade to Java 6

Consider uninstalling Java 7 and using Java 6.

Use NoScript

NoScript is a browser extension for Mozilla Firefox browsers that provides options to block Java applets.

References

Revisions

  • August 27, 2012: Initial release
  • August 28, 2012: Updated
  • September 05, 2012: Updated

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top