Vulnerability Note VU#858729

The Oracle Java Runtime Environment (JRE) allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems.

The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document states, "If there is a security manager already installed, this method first calls the security manager's checkPermission method with a RuntimePermission("setSecurityManager") permission to ensure it's safe to replace the existing security manager. This may result in throwing a SecurityException".

By leveraging a number of vulnerabilities, an untrusted Java applet can escalate its privileges to allow full privileges, without requiring code signing. Other vulnerabilities can cause exploitable memory corruption, which could affect Java applets, as well as Java applications, depending on what the Java application does and how it may process untrusted data. Oracle Java 7 Update 11, Java 6 Update 38, and earlier Java versions are affected.

At least one of these vulnerabilities is reportedly being exploited in the wild.

By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for these vulnerabilities. The vulnerabilities that affect server deployments of Java may be exploited by causing a Java server application to process untrusted data.

Apply an update

These issues are addressed in Java 7 Update 13 and Java 6 Update 39. Please see the Oracle Java SE Critical Patch Update Advisory - February 2013 for more details.

Disable Java in web browsers
Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.

System administrators wishing to deploy Java 7 Update 10 or later with the "Enable Java content in the browser" feature disabled can invoke the Java installer with the WEB_JAVA=0 command-line option. More details are available in the Java documentation.

Restrict access to Java applets

Network administrators unable to disable Java in web browsers may be able to help mitigate this and other Java vulnerabilities by restricting access to Java applets. This may be accomplished by using proxy server rules, for example. Blocking or whitelisting web requests to .jar and .class files can help to prevent Java from being used by untrusted sources. Filtering requests that contain a Java User-Agent header may also be effective. For example, this technique can be used in environments where Java is required on the local intranet. The proxy can be configured to allow Java requests locally, but block them when the destination is a site on the internet.