On January 10, 2013, security researchers reported an unpatched vulnerability in Oracle Java 1.7u10.
Attack code that exploits the vulnerability is being massively exploited in the wild. Malicious attackers are using the exploits to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software. Computers browsing the web with a vulnerable version of Java installed and enabled are susceptible to these drive-by downloads. The malicious software installed through these attacks may collect usernames and passwords used on compromised computers, including credentials for sensitive websites, bank accounts, email etc.
Limiting browsing to only trusted websites may limit your exposure to these drive-by downloads, but it will not eliminate the risks involved.
Mozilla and Apple have already moved to blacklist and disable Java for their respective browsers. Other vendors may follow suit. These vendor actions will impact functionality for users of these vendors browsers.
The IT Security Office advises applying workarounds as soon as possible.
All versions of Oracle Java 7 (aka 1.7) from the initial release up through update 10 are vulnerable.
Other versions of Java may be vulnerable.
If you have any questions, please contact the IT Service Center at 303-735-4357 (or 5-HELP from an on-campus phone) or firstname.lastname@example.org. Email and phone help is available Mondays through Thursdays, 7:00 a.m. to 10:00 p.m.; Fridays 7:00 a.m. to 7:00 p.m.; and Saturdays and Sundays, noon to 6:00 p.m.
OIT has defined the following categories to describe the severity of security risks:
URGENT severity represents a broad threat to the entire campus community.
SEVERE severity included remote exploits and worms.
IMPORTANT severity includes virus and local exploits for commonly used services.