Hackers Using Java — U.S. Gov't

Get rid of Java, the program. The United States Computer Emergency Readiness Team says hackers attack systems using Oracle Java and web browsers with the Java 7 plug-in are at high risk.

“A vulnerability in the way Java 7 restricts the permissions of Java applets could allow an attacker to execute arbitrary commands on a vulnerable system,” the US-CERT posted on its website.

oracle java 7

Any system using Oracle Java 7 including Java Platform Standard Edition 7, Java SE Development Kit, and Java SE Runtime Environment through update 10 are affected, the team said.

“A vulnerability in the Java Security Manager allows a Java applet to grant itself permission to execute arbitrary code,” computer experts said. “An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet.”

An attacker could also compromise a legitimate web site and upload a malicious Java applet. The team describes this as a “drive-by download” attack.

Firefox or Chrome users cannot evade the attack as “any web browser using the Java 7 plug-in is affected,” according to the team. “The Java Deployment Toolkit plug-in and Java Web Start can also be used as attack vectors,” they said.

As a solution, the US-CERT recommends disabling of Java in web browsers.

“This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available,” the team added. “As with any software, unnecessary features should be disabled or removed as appropriate for your environment.”

So you will not be misled, please take note that Java and Javascript are not the same.