by Leigh Goessl

Created on: January 16, 2013

Last week a vulnerability was discovered in Java that allowed an exploiter to gain remote access to systems and use it for nefarious purposes.

The vulnerability, which affected Java 7 versions, was serious enough that the U.S. Homeland Security sent out a warning. The DHS' Computer Emergency Readiness Team stated "A vulnerability in the way Java 7 restricts the permissions of Java applets could allow an attacker to execute arbitrary commands on a vulnerable system."

Described as a "critical" vulnerability by experts, DHS urged users to disable the software until a fix was issued by Oracle, the developer of Java.

As news of the exploit was published, Symantec reported the company was seeing hundreds of thousands of exploits occurring per day related to the Java vulnerability. Most of the incidents appear to be centered in the U.S., according to a map published by the security software maker.

On Sunday, Oracle released an emergency software update which included a few changes to address the vulnerability issues and prevent attackers from accessing the computers of unsuspecting users.

In a blog post, Oracle indicated the exploit is only found in Oracle Java 7 versions, it does not impact Java on servers, Java desktop applications, or embedded Java. The company did note that the fix addresses two software vulnerabilities related to this issue that affects Java software in Web browsers.

"To be successfully exploited, an attacker needs to trick an unsuspecting user into browsing a malicious website.  The execution of the malicious applet within the browser of the unsuspecting users then allows the attacker to execute arbitrary code in the vulnerable system," wrote Eric Maurice, an Oracle representative. "These vulnerabilities are applicable only to Java in web browsers because they are exploitable through malicious browser applets."

Additionally, Oracle increased Java's security settings from "medium" to "high" by default. The update also requires users to authorize the execution of applets that are unsigned or self-signed; this means that if a user surfs onto a malicious site, the user will be notified before the applet is run and can deny access.

Oracle is recommending users install the security patch "as soon as possible because these issues may be exploited 'in the wild' and some exploits are available in various hacking tools."

According to Dark Reading, the exploit was first discovered by a researcher who goes by the handle @Kafeine; the researcher's discovery was later confirmed by other security experts.

In the Dark Reading piece, experts were quoted as indicating this is likely not to be the last exploit found in Java this year.

"If you have any business critical applications that require Java: try to find a replacement. I don't think this will be the last flaw, and the focus on Java from people behind exploit kits like blackhole is likely going to lead to additional exploits down the road," Johannes Ullrich blogged in the SANS Internet Storm Center.

Learn more about this author, Leigh Goessl.
Click here to send this author comments or questions.