Q: What's going on? People are talking about some Java 0daywhich threatens the whole world… Bring me up to speed, now!
A: About a week ago, an independent researcher has reported a previously unknown (0day) Java vulnerability being used in order to infect innocent users with malware. When a 0day vulnerability is discovered it is usually reported to the affected vendor and that vendor will issue a patch that fixes the software bug, hence closing the security hole. However in this case the vulnerability was discovered by someone who chose not to do the responsible thing (reporting to the vendor), and instead took advantage of this finding for personal profit. A 0day vulnerability gives the attacker an imperative advantage over the victim for two main reasons:
In such cases being aware of the attack and its specifics is of highest importance, thus we have analyzed this vulnerability and posted our findings on the very same day it was discovered and verified out-of-box protections in Trustwave's Secure Web Gateway product.
Q: Who is at risk?
A: Anyone who has java 1.7u10 (or prior) installed. Users who have Java 1.7u11 or Java 1.6 installed, are not affected by this issue. Since it is a common practice for enterprise environments to rely internally on Java applications, these users should pay extra attention and contact their IT department regarding the software installed on their desktop.
Q: What can I do to protect myself?
A: Uninstall Java from your computer, or disable the Java browser plugin in your browser. However, if you need Java for your daily work environment then make sure to update your Java to version 1.7u11. You can get it here.
Q: How can I tell which version of Java I have installed?
A: Simply go to: http://www.java.com/en/download/installed.jsp .Note that this page relies on the Java browser plugin in order to detect the installed version. This means that if your Java plugin is already disabled(which is good!), the page will not be able to detect any Java on your computer, even if Java is actually installed.
Q: I'm confused! There is a Java plugin and Java "standalone"?
A: Correct. Installing Java Runtime Environment will enable the user to execute Java applications locally. Also, along with the JRE you will get a Java browser plugin installed. This plugin allows you execute Java applets in a web site context. Disabling this plugin doesn't impact the ability to execute local Java applications.
Q: What is the attack scenario?
A: A common attack scenario for this issue would be a user with a vulnerable Java plugin browsing to a malicious site. This can happen on daily basis, since users will often click on unfamiliar links. This can also happen by browsing an absolutely legitimate site which was hacked and as a result is now serving malicious content along with the normal content. Another example would be a legitimate site serving ads, which sometimes contain malicious content. Both of the latter examples usually occur without the knowledge of the legitimate site owner and operator.
A malicious site would exploit the weakness in your Java plugin using an embedded java applet, without user interaction or consent. Upon successful exploitation the attacker gains control over the victim PC and will usually infect the computer with malware.
Q: But I use Mac/Linux/Casio calculator, am I still vulnerable?
A: The vulnerability at hand is platform independent and originates from the Java software. Thus, any Java user is at risk, regardless of the underlying OS. For a more detailed technical explanation you should read here. However, Mac users are at lower risk since Apple has disabled the outdated versions of Java plugin on OS X.
Q: I use Java and have updated to the latest version (1.7u11). Am I safe?
A: Actually you can never be 100% safe. However, in this case you are indeed immune to the latest Java vulnerability (and any other previously reported Java vulnerabilities). But as history shows, new vulnerabilities are bound to be found and exploited, and in order to protect yourself from future threats a complementary security product should be used. One terrific choice would be Trustwave Secure Web Gateway! Our product has successfully detected and stopped all five Java 0days that were discovered in the past year or so (including this one of course!).
Thanks to Rami Kogan for his contribution on this subject!