FireEye security researchers are warning that they have detected a new zero-day vulnerability that is being used successfully in the wild against browser clients with both Java 6u41 and Java 7u15 installed.
Given that the Java 7 update was only released a couple of weeks ago, this is yet more bad news for Oracle and for users of the Java browser plug-in. bad news, but not exactly surprising as security researchers have been finding flaws in the update since it was made available. The difference here is that this isn't just a lab-based, theoretical, vulnerability: this is, it would appear, a fully-blown in the wild exploit.
FireEye researchers state that:
...this vulnerability leads to arbitrary memory read and write in JVM process. After triggering the vulnerability, exploit is looking for the memory which holds JVM internal data structure like if security manager is enabled or not, and then overwrites the chunk of memory as zero.
At the moment the exploit doesn't appear to be all that reliable, which is something, as the amount of memory being overwritten fails to execute and causes a JVM crash. Hopefully a more reliable update will be made available by Oracle soon, in time to prevent the bad guys from tweaking this exploit and making it work reliably. FireEye is working with Oracle to this end, but in the meantime advises users to disable Java in the browser until such a time that a patch becomes available.
Similar advice is being issued by Qualys this morning:
These attacks are all against Java on the desktop and use the browser as an attack vector. Our recommendation is to uninstall Java from the desktop if possible, otherwise disconnect Java from the browser, which recent versions of Java have made much easier. If neither of these options work, look at a whitelisting solution for Java. Through its Zone mechanism Internet Explorer enables you to disable Java in the Internet Zone, but to leave it enabled in the Trusted Sites zone, which then needs to contain the sites that you need to run Java on (GotoMeeting, internal sites, etc).