Zero-day vulnerability: Should you disable or remove Java from your computer?

30 Aug 2012

A vulnerability in the most recent version of Java could leave your computer at risk of a malware attack. Until a suitable patch is released, the best way to protect your system is by either disabling or removing Java.

The zero-day (meaning unpatched) vulnerability was spotted in the wild late last week by Atif Mushtaq of FireEye who reported seeing it used in limited targeted attacks. By Tuesday (28 August) the blog reported finding over a dozen domains that were actively attacking systems using this exploit.

How the exploit works

The official name of this vulnerability is CVE-2012-4681 and it appears in the latest version of Java: version 1.7, Update 6, which means any system with the most recent Java run-time environments (JRE 1.7x) are at risk.

It has since been reported that the exploit has been integrated into the Blackhole attack toolkit. This is a popular commercial exploit toolkit commonly used by cybercriminals to infect computers with malware when users visit malicious or compromised websites. If this is the case, then attacks targeting this exploit could become widespread.

Because this vulnerability allows malicious code to be executed without user interaction, it is considered by security experts as extremely critical and it is believed that further vulnerabilities may be exploited with considerable speed.

The short-term solution

On Monday, an advisory was published by United States Computer Emergency Readiness Team (US-CERT) explaining how users can disable Java in their web browser or remove it completely in order to protect their computers from potential attacks. ESET security expert Stephen Cobb has posted some practical advice on the ESET Ireland blog on how to do this

In Chrome, Firefox, Safari and Opera this is fairly straightforward. With Internet Explorer, however, the process is more complicated and some methods of disabling Java appear to be ignored. Cobb advises that users avoid using IE as their main browser if they aren’t confident that Java has been successfully disabled, and to also ensure that it is not their default browser if this is the case.

It’s very important that Java is disabled in users’ default browsers as some malware can execute via the default browser even when it’s not in use.

With no fixes or workarounds yet known, the only alternative to disabling Java is to remove it altogether. However, this is not an ideal solution for companies or users relying heavily on Java-based web applications. It is expected that Oracle will fix the vulnerability in its next Critical Patch Update, which is due in October. It is hoped, however, that they may decide to release the security patch sooner, before users have to resort to uninstalling Java.

UPDATE: Oracle has released Java Version 7, Update 7, which addresses this vulnerability. Users are advised to download the update immediately and not to wait for automatic updates to be rolled out.

Security alert image via Shutterstock

Elaine Burke is the editor of Silicon Republic