Java Zero-Day Vulnerability CVE-2013-0422

SUMMARY

Windows PC and Mac users who have the Oracle Java JRE web plug-in version 7u10 and below should immediately update to the latest release of Java JRE 7u11 [1], or disable Java from their computer browsers [2].

BACKGROUND

On January 10, 2013, security researchers reported an unpatched vulnerability in Oracle Java 1.7u10. This vulnerability has been labeled CVE-2013-0422

Security professionals comment that attack code that exploits the vulnerability is being “massively exploited in the wild.” Miscreants use such exploits to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting website visitors.

IMPACT

Browsing the web with a vulnerable version of Java installed and enabled means that simply visiting a website or clicking on a link in an e-mail message is enough for an attacker to compromise your computer. This is known as a “drive-by download” [3]. The malicious software installed through these attacks may collect usernames and passwords used on the compromised computer, including credentials for sensitive websites, bank accounts, email etc.

While “safe browsing” to only trusted websites may limit your exposure to drive-by downloads, it does not address the underlying vulnerability and prevent exploitation. Please see “Recommendations” and “Workarounds” below for further steps that should be taken.

PLATFORMS AFFECTED

All versions of Oracle Java 7 (aka JRE 1.7) from the initial release up through update 10 are vulnerable. This affects both Windows PC and Mac OS if you have installed the JRE web plug-in. Oracle maintains that earlier versions of Java are not affected by this particular exploit[6].

RECOMMENDATIONS

  • Update Java Immediately - Regularly check for updates and remove old versions of Java. Java 7 update 11 is available at the website http://www.java.com [1].
  • Update Anti-Virus/Anti-Malware software – MU campus users who have the latest version of Symantec Endpoint Protection (SEP) 12.1.2015 [9] installed will receive additional protection thru the ‘Proactive Threat Protection’ and ‘Network Threat Protection’ modules. This includes a browser-protection technology which can detect and prevent malicious Java from being executed on client computers.
  • Use an alternative web browser – it has been reported that users of the latest versions of Mozilla Firefox, Google Chrome, and Apple’s Safari browsers are provided additional security protections not currently found in the default Windows IE9 web browser [7].
  • Exercise caution - Don’t click on web popups, but close the window instead. If they won’t close, open your process list and force your browser to close.

WORKAROUNDS

Disable Java. [2] NOTE: This workaround may prevent certain websites from working correctly, and must be considered in relation to essential enterprise applications like Banner which currently depends on Java 6 – note both Java 6 and Java 7 can both be installed at the same time, but keeping both versions updated may require the use of manual updates).

FURTHER READING

[1] http://java.com/en/download/installed.jsp?detect=jre&try=1

[2] https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/

[3] http://en.wikipedia.org/wiki/Drive-by_download

[4]  http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx

[5] http://www.oracle.com/technology/deploy/security/alerts.htm

[6] http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

[7] https://blog.mozilla.org/security/2013/01/11/protecting-users-against-java-vulnerability/

[8] http://krebsonsecurity.com/tag/cve-2013-0422/

[9] http://www.marshall.edu/antivirus

If you have additional questions regarding the content or recommendations in this security bulletin, please contact your departmental IT service provider, the IT Service Desk at itservicedesk@marshall.edu / 304-696-3200, or the IT Office of Security infosec@marshall.edu.