JRE 1.7 Vulnerability

Question

Today, our Enterprise Architect mentioned that a recent vulnerability was discovered in the JRE 1.7. I found an article the JRE 1.7 vulnerability recommending disabling Java.

I am running JDK 1.5 and 1.6 at work (like many organizations, we're not on the latest of technologies), so no problems there.

At home I am doing development with Java SE 7u6. I'm playing with Grails, Spring Security, trying to keep learning.

I have already gone and disabled the Java Plug-in in all my browsers on my home development machine. However, does anyone know if my home dev machine is still vulnerable by virtue of having the JDK 7 installed? I did find this article on US-CERT declaring the vulnerability notice: Oracle Java JRE 1.7 Expression.execute() fails to restrict access to privileged code.

It sounded like as long as the browser is not able to run Applets, I should be fine (it should not with the Java Plug-in disabled). However, what about Java Web Start/JNLP? Could that get invoked? That's the only other thing I could think of, other than Applets, that might be of concern.

Just wondering if I need to go through the efforts of uninstalling my Java SE 7 and dropping back to a JDK6.

What have others done upon learning of this security issue with JRE 1.7?

Answer 1

The details of the latest vulnerability have not been made public. However, my understanding is that it only affects Java browser plugins. The recommended mitigation is to disable the Java browser plugins. No mention is made of non-plugin Java, so I think it is safe to assume that your dev machine is not vulnerable simply by virtue of having Java 7 installed.

However, what about Java Web Start/JNLP? Could that get invoked?

I don't think so. I think it is safe to assume that the people who found the problem would have thought of that potential attack vector. (But simple common sense says that you wouldn't want to be launching random JNLP programs in the first place ...)

Answer 2

I understand it as if you have to visit a malicious site to become infected. So no, you are not at risk simply by virtue of having Java 7 installed in your browser.

Some useful links:

• US-CERT link which explains the vulnerability:

http://www.kb.cert.org/vuls/id/636312

• Oracle link to their Security Alerts (not just Java, but also including Java):

http://www.oracle.com/technetwork/topics/security/alerts-086861.html

As of writing (30 Aug 2012) I cannot see that Oracle has yet issued an alert for this. I can't really figure out if they only issue such alerts AFTER a patch has been created. According to US-CERT site Oracle was officially alerted on 29 Aug 2012 but they may already have known about it because blog reports about the vulnerability started a few days before the 29th.

What you can read on the Oracle site is that the next planned "Java SE Critical Patch Update" is on 16 October 2012. Surely they won't wait for that but release an out-of-band patch for this vulnerability asap. (they've done so before)