by   December 2, 2011 11:54 AM C/NET  


There is a rather serious vulnerability in Java version 1.6.0_26 that is apparently being actively pursued by hackers, one that is easy to implement and allows hackers to compromise systems without being detected.

The exploit was found a couple of months ago and was addressed in thelatest round of Java updates both from Oracle and from Apple for OS X users; however, many people have not yet updated their systems and hackers are working to take advantage of this flaw on these systems.

The vulnerability allows a maliciously crafted Java applet to run undetected on many browsers and allows code to execute outside of the Java sandbox with the privileges of the current user. This means that malicious code in the applet can have access to any system feature your account has access to. For standard user accounts that’s restricted to the user’s home folder and attached disks, but for administrators it includes the Applications folder and parts of the global library and system folders.

This behavior is not particularly new for vulnerabilities; however, this one is a bit different in that the exploit is easy to perform, does not require authentication or other user input to run, and remains hidden on most browsers.

Beyond all of these details is the real issue here, which is that packaged versions of the exploit are apparently being actively sold and distributed among hackers on underground cybercrime networks, meaning that it is very likely to be implemented on many sites. If by chance a Google search results in you clicking a site that has this exploit, then if you have Java installed, your computer could be quickly compromised. All you have to do is visit a compromised Web site with a malicious Java applet, and most browsers will not even indicate the exploit is running.

OS X Java PreferencesIn OS X, check the Java Preferences utility to see what version of Java you are running. You can use the preferences to disable Java applets as well.

(Credit: Screenshot by Topher Kessler)

Security community Metasploit took a recent lookat this vulnerability, and found that the exploit, described as “a big one,” is run completely and successfully on all systems running Java prior to version 1.6.0_29-b11, including Windows XP,Windows 7, Ubuntu Linux, and Apple’s OS X.

On all platforms, only Google’s Chrome browser gave any notification that a Java applet was running; other browsers like Safari, Internet Explorer, and Firefox gave no indication at all. Regardless of this difference, the malicious applet ran easily and successfully in all browsers.

According to Krebs on Security, the exploit “should not be taken lightly by any computer user,” since Java is installed on more than 3 billion computing devices worldwide. Krebs cites Microsoft’s Tim Rains as mentioning that Java-based exploits were the most common ones seen on computer systems in the first half of 2011, suggesting that hackers would be eager to get their hands on this current exploit.

Safari's Java optionsSafari’s preferences have an option for disabling Java.

(Credit: Screenshot by Topher Kessler)

This is a serious issue, but luckily the last update to Java distributed by Oracle, Apple, and other companies for their operating systems includes a fix for this problem. If you keep your system fully updated and if applied the Java patch when it was released then you have nothing to worry about; however, many times people ignore updates to software that they do not use, with Java being one of them.

To see what version of Java you are running on your system, launch your Java configuration tool or runtime environment and check the version there. For Mac users, Apple has stopped including Java with OS X but has it readily available to download if you run Java applications on your system. If you have not installed Java then you are in the clear. If you have, then go to your /Applicatons/Utilities/ folder and open the Java Preferences application. In here if you see the Java SE 6 version listed as being anything below 1.6.0_29-b11, then it is highly recommended that you update Java on your system.

The latest Java update is available via software update tools, so be sure to run them on your system (Apple’s is available by selecting Software Update in the Apple menu). However, you can also download the updates directly from sites like Apple’s Java Update 6 for Mac OS X 10.6, and the Java Update 1 for OS X 10.7. Non-Mac users can download the update directly from Oracle.

Firefox Add-on managerFirefox’s Java handling can be disabled through its Add-ons manager.

(Credit: Screenshot by Topher Kessler)

In addition to updating Java, there are some other steps you can take to help secure your system, especially if you do not regularly use Java Web applets when browsing the Internet (and especially since most common Web scripting is done in JavaScript and PHP, or uses Flash). In the Java preferences, uncheck the option to enable applet plug-in and Web Start applications, which will prevent downloaded applets from launching. Additionally, in Safari’s preferences uncheck the security option for enabling Java.

If you use Firefox, then to disable Java go to the Tools menu and select the Add-ons option to open the Add-ons Manager window. In here, click the Plugins section to the left, and locate the Java Applet Plug-in. Then click the “Disable” button next to the plug-in to prevent Java applets from running.

Again, this threat was addressed over a month ago, so while it is only now being found to be a serious issue, the fix for it has been available and ready for a while. However, as it’s a recent update many people may not have yet installed it, so again, be sure to check your system and apply the update if you are not running the latest version of Java.