About UsOracle Java 7 Security Manager Bypass Vulnerability
Systems Affected
Any system using Oracle Java 7 (1.7, 1.7.0) including:
* Java Platform Standard Edition 7 (Java SE 7)
* Java SE Development Kit (JDK 7)
* Java SE Runtime Environment (JRE 7)
Web browsers using the Java 7 Plug-in are at high risk.
Overview
A vulnerability in the way Java 7 restricts the permissions of Java
applets could allow an attacker to execute arbitrary commands on a
vulnerable system.
Description
A vulnerability in the Java Security Manager allows a Java applet
to grant itself permission to execute arbitrary operating system
commands. An attacker could use social engineering techniques to
entice a user to visit a link to a web site hosting a malicious
applet.
Any web browser using the Java 7 Plug-in is affected.
Reports indicate this vulnerability is being actively exploited,
and exploit code is publicly available.
Impact
By convincing a user to load a malicious Java applet, an attacker
could execute arbitrary operating system commands on a vulnerable
system with the privileges of the Java Plug-in process.
Solution
Disable the Java Plug-in
Disabling the Java web browser plug-in will prevent Java applets
from from running. Here are instructions for several common web
browsers:
* Apple Safari: How to disable the Java web plug-in in Safari
* Mozilla Firefox: How to turn off Java applets
* Google Chrome: See the "Disable specific plug-ins" section of the
Chrome Plug-ins documentation.
* Microsoft Internet Explorer: Change the value of the
UseJava2IExplorer registry key to 0. Depending on the versions of
Windows and the Java plug-in, the key can be found in these
locations:
HKLM\Software\JavaSoft\Java Plug-in\{version}\UseJava2IExplorer
HKLM\Software\Wow6432Node\JavaSoft\Java Plug-in\{version}\UseJava2IExplorer
* The Java Control Panel (javacpl.exe) does not reliably configure
the Java plug-in for Internet Explorer. Instead of editing the
registry, it is possible to run javacpl.exe as Administrator,
navigate to the Advanced tab, Default Java for browsers, and use
the space bar to de-select the Microsoft Internet Explorer option.
Use NoScript
NoScript is a browser extension for Mozilla Firefox browsers that
provides options to block Java applets.
* Java SE Development Kit (JDK 7)
* Java SE Runtime Environment (JRE 7)
Overview
applets could allow an attacker to execute arbitrary commands on a
vulnerable system.
Description
to grant itself permission to execute arbitrary operating system
commands. An attacker could use social engineering techniques to
entice a user to visit a link to a web site hosting a malicious
applet.
and exploit code is publicly available.
Impact
could execute arbitrary operating system commands on a vulnerable
system with the privileges of the Java Plug-in process.
Solution
from from running. Here are instructions for several common web
browsers:
Chrome Plug-ins documentation.
UseJava2IExplorer registry key to 0. Depending on the versions of
Windows and the Java plug-in, the key can be found in these
locations:
* The Java Control Panel (javacpl.exe) does not reliably configure
the Java plug-in for Internet Explorer. Instead of editing the
registry, it is possible to run javacpl.exe as Administrator,
navigate to the Advanced tab, Default Java for browsers, and use
the space bar to de-select the Microsoft Internet Explorer option.
provides options to block Java applets.