Java Vulnerable and Actively Exploited

Last Updated: 01/12/2013

Security Notice Level

SEVERE

On January 10, 2013, security researchers reported an unpatched vulnerability in Oracle Java 1.7u10.

Attack code that exploits the vulnerability is being massively exploited in the wild. Malicious attackers are using the exploits to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software. Computers browsing the web with a vulnerable version of Java installed and enabled are susceptible to these drive-by downloads. The malicious software installed through these attacks may collect usernames and passwords used on compromised computers, including credentials for sensitive websites, bank accounts, email etc.

Limiting browsing to only trusted websites may limit your exposure to these drive-by downloads, but it will not eliminate the risks involved.

Mozilla and Apple have already moved to blacklist and disable Java for their respective browsers. Other vendors may follow suit. These vendor actions will impact functionality for users of these vendors browsers.

The IT Security Office advises applying workarounds as soon as possible.

Affected Software:

All versions of Oracle Java 7 (aka 1.7) from the initial release up through update 10 are vulnerable.
Other versions of Java may be vulnerable.

Release Notes:

http://www.us-cert.gov/cas/techalerts/TA13-010A.html
http://www.kb.cert.org/vuls/id/625617

Additional Information

If you have any questions, please contact the IT Service Center at 303-735-4357 (or 5-HELP from an on-campus phone) or help@colorado.edu. Email and phone help is available Mondays through Thursdays, 7:00 a.m. to 10:00 p.m.; Fridays 7:00 a.m. to 7:00 p.m.; and Saturdays and Sundays, noon to 6:00 p.m.