A new vulnerability in Java 7 has been added to the BlackHole exploit kit and Metasploit that allows malicious software to be installed on Windows, Mac OS X, and Linux computers. So far, it has only been reported on Windows, but security experts say it would be easy to target any computer that had the newest version of Java installed. David Maynor, the CTO of Errata Security, says it's "about a bad a bug as I've ever seen."
Kaspersky Lab's Kurt Baumgartner mapped the attacks, finding the hardest hit to be China and Russia.
Symantec discovered two websites that were using the attacks. Here's how their analysis says it works:
"The vulnerability consists of a privilege escalation due to a class that allows access to protected members of system classes, which should not be accessible. Because of this, malicious code can bypass the restrictions imposed by the sandbox and use the 'getRuntime().exec()' function in order to execute a malicious payload."
How to Protect Yourself
The only way to be 100% safe is to disable or uninstall Java completely, but if you need it for a lot of apps or websites that you use frequently (likeMinecraft), that may not be an option. The vulnerability has been found to only work in Java 7, so you can also install an older version.
Disabling Java in a Browser
- Firefox: Firefox >> Add-ons >> Disable Java
- Internet Explorer: Tools >> Manage add-ons >> Disable Java
- Chrome: type about:plugins in the address bar >> Disable Java
Uninstalling Java
- Windows: Open the Control Panel and click on Uninstall Programs. Select Java and click Uninstall.
- Mac: Most Macs still have Java 6 installed, but if you have the newest version on yours, you can disable it by going to System >> Library >>Frameworks and removing the file called "JavaVM.framework."
Installing Java 6
If you do need to use Java, you can download an older version that isn't affected by the exploit here. The download page also has guides to installing the software on Windows, Solaris, and Linux.
UPDATE: A patch to fix the exploit has been released. Download it here.