Java Security Manager Bypass Vulnerability
By Art Manion on 08/29/2012 | Permalink
Last Sunday, another major Java vulnerability (VU#636312) was reported. Until an official update is available, we strongly recommend disabling the Java 7 plug-in for web browsers.
This vulnerability is bad news, at least for those of us trying to avoid phishing and drive-by browsing attacks. The vulnerability is caused by a logic bug that allows an applet to grant itself full privileges. More technical details are available in Vulnerability Note VU#636312.
The features of this vulnerability make it a very attractive attack vector:
- Java works across platforms (operating systems and browsers).
- The Java plug-in runs outside of browser restrictions such as Internet Explorer's (IE) Protected Mode.
- It's not a memory bug, so there's no need for exploits to work around defenses like data execution prevention (DEP) or address space layout randomization (ASLR) and no need to build exploits for specific memory layouts.
- The exploit was found in the wild, public exploit code is available, and the exploit is in attacker toolkits.
- No update or information from Oracle is available.
Unfortunately, this type of vulnerability isn't new. Vulnerabilities exploited with Java applets are a great way to bypass browser and OS security restrictions. Attackers know this, as shown by the prevalence of Java exploits in attacker toolkits.
If you're running Java 7, it's very important to disable the Java plug-in.
If you must use Java applets in a browser, consider installing a browser with the Java plug-in enabled and only using that browser to visit sites that specifically require Java. And watch for an update from Oracle.
Take extra care disabling the Java plug-in for IE; we found it strangely difficult. The plug-in did not consistently appear in the Manage Add-ons UI. Also, the Java control panel greyed out the option to uncheck the plug-in for IE, although it is possible to clear the check box by using the space bar (but not a mouse click...). It's also possible to edit the registry directly as described in VU#636312.
Update: It turns out disabling the Java plug-in for IE is even more complicated. Please see the instructions provided in VU#636312.
Update 2: Oracle has released Java 7 Update 7. See Oracle Security Alert for CVE-2012-4681 for more information. To protect against future Java vulnerabilities, consider leaving the Java plug-in disabled.