The fun never ends. Yet another zero-day vulnerability in the current patch-revisions of the Java Runtime Environment. Security research firm Fireeye reports that there are active exploits in the wild against both JRE7u15 and JRE6u41. The most significant point of this is that JRE6u41 isn't likely going to get fixed, as JRE6 expired support yesterday. Presumably JRE7u17 will be available shortly, but at a minimum you need to disable Java in IE or use a browser that prompts before launching a Java applet in the browser.
Note also, since the release of JRE7u10, you can now disable Java in Internet Explorer using the Java Control Panel for JRE7, but the UI is a bit flaky. You'll need to select the "Microsoft Internet Explorer" option, and then press spacebar to disable the functionality. And even then, this may not be enough, there is some discussion and controversy around whether this actually works or not. Seriously, if you're not actively using a Java-based application on your computer right now - today! - I would suggest removing Java completely. I have!
Previously I wrote in this article, incorrectly, that the vulnerability fixed in JRE7u11 was also present in JRE6. This is not correct. However, subsequent research has also uncovered the fact that 78% of the Java 7 security vulnerabilities that have been fixed since its release in July, 2011, are also present in Java 6. As such, for those that might have been inclined to stick with Java 6 to avoid the security issues with Java 7, that's not going to be of any real help. Also, security updates for Java 6 will no longer be published after February, 2013, so if you need Java, migrating to the latest release of Java 7 and removing Java 6 is definitely the best approach.
It’s been yet another busy 72 hours in the land of Java, although, by now, a lot of people have become quite accustomed to this rat race. The latest issue was reported Friday, by a number of sources, that an active exploit of an issue in the Java Runtime Environment (JRE) v7 update 10 was identified. Unlike past times, though, Oracle responded quite rapidly, and on Sunday released an update: JRE7v11 – which, unfortunately, doesn’t fix all of the identified vulnerabilities, but does fix the one being exploited. That update was published to the SolarWinds Patch Manager catalog yesterday.
However, be aware that the same vulnerability also exists in the Java Runtime Environment v6, and Oracle has not released a patch for that vulnerability, so don’t be surprised if an active exploit for JRE6 shows up in the next day or so.
In the meantime though, here’s an Action Plan for dealing with Java.
Best Solution: Uninstall Java
If you have machines that do not need the Java Runtime Environment, then uninstall it. Completely! If you have Java 7 and Java 6 installed (or any other older versions of Java) uninstall the older versions! Consider it one of those applications that only “special people” get to install. SolarWinds Patch Manager has tools that can you leverage to do mass uninstallations of Java across your entire organization.
Good Solution: Disable Java
Java is a pretty popular development environment and has been around a very long time. As a result, the reality is that almost every organization has at least one business critical application that requires the Java Runtime. Consider, though, disabling the Java Runtime on those systems that need it, and only explicitly enabling it when the application(s) that require it need to be used. This can be done through the Java Control Panel.
Minimum Solution: Disable Java Plugins in the Browsers
Sometimes, though, it’s just not practical to disable Java. Some business applications are used on a daily basis, or the process of enabling and disabling Java don’t work well for some users. At a minimum, though, you should disable Java in web browsers. This is fairly easy to do in almost every environment. Here are links for disabling Java in each of the major browsers:
Required Solution: Patch Java!
If you don’t uninstall Java, and regardless of whether you disable it completely, partially, or not at all, absolutely you need to keep it patched with the most current updates. Failing to apply this JRE7u11 patch can result in the installation of malicious software on PCs in order to steal identities or make infected computers part of a network used to attack websites.
To help all IT Pros with this challenge, today SolarWinds has updated the Patch Manager evaluation edition to include this latest JRE7 update. Previously only an older version of JRE6 was available for evaluations. We also know that the vulnerability exists in JRE6, and hopefully there is an update for JRE6 coming soon from Oracle, so when that update becomes available, we will also make it available to all evaluation users. Effective today, you can fully patch every JRE7 system in your network using a 30-day free trial of SolarWinds Patch Manager.
Oh, and, it takes a lot less time using Patch Manager! You can be done in as little as a few hours, typically overnight for most organizations – as opposed to days if you’re using scripts or doing it manually. Check out this video for a quick look at how Patch Manager makes patching Java so much easier.
If you need assistance, the Customer Portal is available for customers and evaluators can email direct to firstname.lastname@example.org. In addition, you can post to the Thwack Patch Manager forum, which I continuously monitor. Whether it’s completely uninstalling Java, or patching the installations you keep, Patch Manager has the ability to help you do both.
One last note, this new JRE7u11 update also has new protection mechanisms for dealing with unsigned Java applications, and will notify the user if one is encountered. This is a function of elevating the default security level from “Medium” to “High”, and is discussed further in the JRE7u11 Release Notes.