Security Zero day Java exploit being used in the wild

[jggimi]

This effects all versions of Oracle Java (JRE 1.7 Update 10 and earlier), including both the JRE and JRE browser plugins.

From US DHS CERT:

Quote:

This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available.

Impact

By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds:


Disable Java in web browsers

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.

[Carpetsmoker]

To quote a certain bowl of petunias:
"Oh no, not again".

[Ninguem]

Why is it called "In the wild"?

Are there a bunch of crazed woodland creatures passing away their time hacking and not hibernating?

Serious side: Java has been and is known for running on most architectures and being able to affect them. An exploit on a SPARC64 machine can be used to control i386 clients. Did the particular developer of the code in question test it for vulnerabilities?
Sometimes there should be more people like deRaadt when it comes to code.

[jggimi]

Oracle issued an emergency update over the weekend (JRE 7 Update 11) which some reports have called insufficient. Here's an in-depth article.

[J65nko]

From another site : http://www.networkworld.com/communit...ke-2-years-fix

Quote:

Oracle releases emergency Java patch; experts warn flaws may take 2 years to fix

Oracle released an emergency patch for Java, but security experts warn the patch doesn't fix all critical vulnerabilities. Not counting future Java exploits, the current Java bugs may take '2 years' to fully fix. In fact, US-CERT advises, "Unless it is absolutely necessary to run Java in web browsers, disable it, even after updating to 7u11."

[jggimi]

To be clear, the security flaw affects JRE as well as the JRE plugin; the press is focused on the plugin but if I understand the problem there is still a risk with JRE (non-plugin) if it is used as a Client in a Client/Server HTML application.

[J65nko]

According to Another Java zero-day vulnerability apparently available the problems with Java are still not over ....

[Ninguem]

The problem with Java is so apparent that one of my friends who is not into computers/OSes/architectures as I am had mentioned it.