Recently a vulnerability in Oracle’s Java Runtime Environment (JRE) 1.7 was discovered that may allow an applet to execute any program with arbitrary permissions.
The JRE framework allows any browser on any supported platform to execute Java applications called applets in the browser. Tha JRE has its own security mechanisms, called Security Manager in Java. By default, an applet runs with the security credentials set by the browser or by the plugin that adds the Java support.
The exploit which is made freely available is actively used in the wild.
It is changing the permissions to bypass the restrictions imposed by default. If the user is visiting a specially crafted website which has this applet, it can executed any file on user’s computer. This is a classical elevation of privileges, because the code is not signed nor trusted by the browser.
At the time of writing this article, there is no fix available. The only way to stay safe is to disable the Java functionality in your browsers.
The US-CERT has a more detailed analysis of this exploit, including how to disable the Java in various browsers:
- Apple Safari: How to disable the Java web plug-in in Safari
- Firefox: How to turn off Java applets
- Microsoft Internet Explorer: Refer to the Java documentation for more details. In the Windows Control panel, open the Java item. Select the “Java” tab and click the “View” button. Uncheck “enabled” for any JRE version listed.
Note that this method may not work on Vista or newer systems. As an alternative, you may use one of the following techniques:
- Change the HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\<version>\UseJava2IExplorer registry value to 0, where <version> is any version of Java on your system.10.6.2, for example.
If you are running a 32-bit version of Java on a 64-bit platform, you should set theHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\<version>\UseJava2IExplorer registry value to 0.
- Run javacpl.exe as administrator, click the “Advanced” tab, select “Microsoft Internet Explorer” in the “Default Java for browsers” section, and press the space bar to uncheck it. This will properly set the above registry value, despite the option being greyed out.
- Chrome: See the “Disable specific plug-ins” section of the Chrome documentation for how to disable Java in Chrome.
For the readers who can understand German, Heise.de published also information about this exploit. Here is a way to see if your browser has the Java plugin active or not: http://java.com/en/download/testjava.jsp
The German BSI has also issued a warning regarding the active usage of the exploit. BSI warns the citizens that some banners which use normally Java were compromised and make active use of this exploit to install banking trojans like Citadel and Hermes. Through this exploit it is also possible to executed a malicious URL which would automatically trigger the default browser to open the URL and infect the computer.
Until there is a fix for this exploit, we recommend that you visit only highly trusted websites, and if not, disable Java completely by following the instructions above.
At 16:00 GMT+1 we released a detection for this vulnerability. Please update the engine to version 126.96.36.199 or higher. All Avira products will detect this exploit as EXP/CVE-2012-4681.