The U.S. Department of Homeland Security is warning computer users that a vulnerability in the way Java 7 restricts the permissions of Java applets could allow an attacker to execute arbitrary commands on a vulnerable system.
A vulnerability in the Java Security Manager allows a Java applet to grant itself permission to execute arbitrary code. Homeland Security says that an attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate web site and upload a malicious Java applet (a "drive-by download" attack).
Any web browser using the Java 7 plug-in is affected, including Firefox, Safari, Internet Explorer, Chrome, or Apple Macintosh browsers. The Java Deployment Toolkit plug-in and Java Web Start can also be used as attack vectors.
How to Disable Java
Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. From Setting the Security Level of the Java Client:
A Security Level slider has been added to the Java Control Panel (under the Security tab) to control the behavior when attempting to run unsigned apps (either from the web or local). The user can select low, medium, high or very high security settings. There are fewer security warnings at the lowest setting. While it is called the "Security Level control" (or slider), it can be thought of as the ability to control the level of notification you will receive when the browser attempts to run unsigned Java apps.
Download Latest Java Update:
The following list summarizes the behavior of the different levels:
- Most unsigned Java apps in the browser will run without prompting unless they request access to a specific old version or to protected resources on the system.
- Unsigned Java apps in the browser will run without prompting only if the Java version is considered secure. (The JRE version should not be expired and should be at or above the latest security update release of Java from Oracle.) You will be prompted if an unsigned app requests to run on an old version of Java. To download the latest version of Java, go to java.com.
- You will be prompted before any unsigned Java app runs in the browser. If the JRE is expired or below the security baseline, you will be given an option to update.
- Very High
- Unsigned (sandboxed) apps and local applets will not run.
The default security level is medium.
Additionally, there are two checkboxes available in the Java Control Panel (under the Advanced tab) that are relevant to unsigned apps:
- Show sandbox warning banner
- Disables the warning icon that appears next to top level windows opened from an unsigned app.
- Allow user to accept JNLP security requests
- Allows an unsigned app that is deployed via JNLP to ask the user for increased access to computer resources like the hard drive or the printer.
For installations where the highest level of security is required, it is possible to entirely prevent any Java apps (signed or unsigned) from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab.