Zeroday Java 7 Vulnerability
January 11, 2013 at 12:29 PM CST
Updated January 14, 2013 at 12:08 PM CST
On January 10, 2013, security researchers reported an unpatched vulnerability in all versions of Java 7 up through Update 10 and earlier through drive-by download attacks. CERT advisory post available at http://www.kb.cert.org/vuls/id/625617.
Security professionals comment that attack code that exploits the vulnerability is being "massively exploited in the wild." Hackers use such exploits to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting website visitors.
Browsing the web with a vulnerable version of Java installed and enabled means that simply visiting a website is enough for an attacker to compromise your computer. This is known as a "drive-by download".
While "safe browsing" to only trusted websites may limit your exposure to drive-by downloads, it does not address the underlying vulnerability and prevent exploitation. Please see "Troy IT Recommendations" and "Workarounds" below for further steps that must be taken.
The malicious software installed through these attacks may collect usernames and passwords used on the compromised computer, including credentials for sensitive websites, bank accounts, email etc.
All versions of Oracle Java 7 (aka 1.7) from the initial release up through update 10 are vulnerable.
Other versions of Java may be vulnerable.
Troy IT Response
When a patch is made available, Troy IT will send update and provision patch delivery where applicable. We are working with our security vendors to create an out-of-cycle threat mitigation remedy.
Update 01/14/2013, A patch is available from Oracle. Please visit http://java.com/en/download/ to download the patch.
Troy IT Recommendations
Regularly check this site for updates.
Don't click on web pop-ups, but close the window instead. If they won't close, open your process list and force your browser to close.
Pending - update will be posted soon.
Update 01/14/2013, please see Troy IT Response section listed above. For other workarounds, visit http://www.kb.cert.org/vuls/id/636312.
Notice, workarounds could disable Java and affect negatively various software functionalities.