10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%
Oracle Java Runtime Environment (JRE) 1.7 contains a vulnerability that may allow an applet to call setSecurityManager in a way that allows setting of arbitrary permissions.
The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems.
The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracleβs document states, _"If there is a security manager already installed, this method first calls the security managerβs _checkPermission_
method with a __RuntimePermission("setSecurityManager") _
permission to ensure itβs safe to replace the existing security manager. This may result in throwing a _SecurityException"_
.
Oracle Java 1.7 provides an execute()
method for Expression objects, which can use reflection to bypass restrictions to the sun.awt.SunToolkit
getField()
function, which operates inside of a doPrivileged
block. The getField()
function also uses the reflection method setAccessible()
to make the field accessible, even if it were protected or private.
By leveraging the public, privileged getField()
function, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing. Both the Oracle JRE 1.7 and the OpenJDK JRE 1.7 are affected.
This vulnerability occurred as the result of failing to comply with the following CERT Oracle Secure Coding Standard for Java rules:
* [SEC00-J](<https://www.securecoding.cert.org/confluence/display/java/SEC00-J.+Do+not+allow+privileged+blocks+to+leak+sensitive+information+across+a+trust+boundary>). Do not allow privileged blocks to leak sensitive information across a trust boundary
* [SEC05-J](<https://www.securecoding.cert.org/confluence/display/java/SEC05-J.+Do+not+use+reflection+to+increase+accessibility+of+classes,+methods,+or+fields>). Do not use reflection to increase accessibility of classes, methods, or fields
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.
Apply an update
This issue is addressed in Java 7 Update 7. To protect against future Java vulnerabilities, consider the following workarounds:
Disable Java in web browsers
Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details. If you are unable to upgrade to Java 7 Update 10 or later, please consider the following workarounds:
Disable the Java plug-in and Java Deployment Toolkit
Disabling the Java browser plug-in and Java Deployment Toolkit plug-in may prevent a malicious webpage from exploiting this vulnerability.
* Apple Safari: [How to disable the Java web plug-in in Safari](<https://support.apple.com/kb/HT5241>)
* Firefox: [How to turn off Java applets](<https://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets>). Make sure to disable both the Java plug-in and the Java Deployment Toolkit plug-in.
* Chrome: See the "Disable specific plug-ins" section of the [Chrome documentation](<https://support.google.com/chrome/bin/answer.py?hl=en&answer=142064>) for how to disable Java in Chrome. By default, Chrome will group plug-ins, so clicking "disable" for Java will disable both the Java plug-in and the Java Deployment Toolkit plug-in. However, if you click "Details" to expand the display of plug-ins, be sure to disable both the Java plug-in and the Java Deployment Toolkit plug-ins.
* Opera: Configure plug-ins to only execute on demand by selecting Opera -> Settings -> Preferences... -> Advanced -> Enable plug-ins only on demand
* Internet Explorer: See the following section.
Disable the Java plug-in and Java Deployment Toolkit for Internet Explorer
Disabling the Java plug-in for Internet Explorer is significantly more complicated than with other browsers. There are multiple ways for a web page to invoke a Java applet, and multiple ways to configure Java Plug-in support. Microsoft has released KB article 2751647, which describes how to disable the Java plug-in for Internet Explorer. However, we have found that due to the multitude of ways that Java can be invoked in Internet Explorer, their guidance (as well as our prior guidance) does not completely disable Java. However, we have provided a registry file that disables all of the CLSIDs provided by Java versions up through Java 7 Update 6, as well as blocks invocation of java through the <applet>
element in the IE by setting the URLACTION_JAVA_PERMISSIONS
flag for the βInternet Zone.β If you wish to disable the <applet>
element in other zones, you can modify the registry file to suit your needs. See Microsoft KB article 182569 for more details. In our testing, importing this registry file appears to prevent invocation of Java applets in Internet Explorer.
Prevent Internet Explorer from automatically opening JNLP files
Java Web Start is a technology for launching Java applications and applets from a web browser. Aside from being invoked from the Java Web Start ActiveX control, Java Web Start can be launched by opening a JNLP
file. The Java installer for Windows configures Internet Explorer to automatically open JNLP files without prompting the user. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file:
[HKEY_CLASSES_ROOT\JNLPFile]
@="JNLP File"
"EditFlags"=hex:00,00,00,00
A registry file that Disables the <applet>
element in the IE βInternet Zoneβ, sets the kill bit for all of the Java CLSIDs through Java 7 update 6, the Java Web Start ActiveX control, the Java Deployment Toolkit ActiveX controls, as well as prevents IE from automatically opening JNLP files, as described above, is available for download here:
Disable_JRE7u6_plugin_webstart_toolkit_and_JNLP_IE.reg
If you wish to re-enable Java that has been disabled using the above registry file, you can import the following registry file:
Enable_JRE7u6_plugin_webstart_and_toolkit_IE.reg
Additionally, if you wish to disable the Java Plug-in for Internet Explorer at the plug-in file level, you may also consider the following steps:
* **Remove the next-generation Java plug-in file
**The next-generation Java plug-in is a newer version of the Java plug-in that execute outside the process space of the web browser. Note that this means that when invoked via the next-generation Java plug-in, Java executes outside any restrictions of the browser, such as DEP, Protected Mode, or other sandboxing. The next-generation Java plug-in can be disabled by removing any instance of the jp2iexp.dll
file. Common locations for this file on the Windows platform include:
C:\Program Files\Java\jdk{version}\jre\bin C:\Program Files\Java\jre7\bin C:\Program Files\Oracle\JavaFX {version} Runtime\bin
* **Remove the Java plug-in file
**If the next-generation Java plug-in option is disabled, Internet Explorer will use the traditional Java plug-in, which operates within the process space of the browser. The Java plug-in can be disabled by removing any instance of the npjpi{version}.dll
file. For example, Java 7 Update 6 provides npjpi170_06.dll
. Common locations for this file on the Windows platform include:
C:\Program Files\Java\jdk{version}\jre\bin C:\Program Files\Java\jre7\bin C:\Program Files\Oracle\JavaFX {version} Runtime\bin
Disable βOpen βsafeβ files after downloadingβ in Safari
By default, Safari on Mac OS X is configured to automatically open βsafeβ files after downloading, which also happens automatically. Java JLNP files are considered to be βsafe.β Disable the option βOpen βsafeβ files after downloading,β as specified in the Securing Your Web Browser document. This will help prevent automatic exploitation of this and other vulnerabilities. Note that Java 7 is not provided with OS X by default, however it is provided by Oracle as an optional download.
Uninstall Java
Due to the impracticality of disabling Java in Internet Explorer with Java versions prior to 7 Update 10, you may wish to uninstall Java to protect against this vulnerability.
Use different browsers for different activities
An effective way of mitigating risk of web browsing is to use separate browsers for different activities online. For example, if you do online banking, choose a browser to use for banking and nothing else. This can help minimize the risk of a malicious web page being able to interfere with the banking activity. The same concept applies to Java. If you use a web site that requires Java, then choose and configure a browser to have Java enabled, and only access that resource with that browser. Other browsers should have Java disabled, as described above. This helps minimize the exposure of Java to untrusted web sites.
Do not access Java Applets from untrusted sources
Attackers must deliver a malicious Java applet to a vulnerable system in order to take advantage of this vulnerability. This includes opening JNLP files, as Java Web Start can be used to execute a Java applet. By only accessing Java applets from known and trusted sources the chances of exploitation are reduced.
Use NoScript
636312
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: August 30, 2012
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: August 29, 2012 Updated: August 30, 2012
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
This issue is addressed in Java 7 Update 7.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23636312 Feedback>).
Updated: August 29, 2012
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Apple Mac OS X provides Java SE 6, which is not affected by this vulnerability. However, systems that have Oracle Java 7 installed are affected.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23636312 Feedback>).
Notified: August 31, 2012 Updated: September 06, 2012
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 9.5 | E:H/RL:W/RC:C |
Environmental | 9.5 | CDP:MH/TD:H/CR:ND/IR:ND/AR:ND |
This vulnerability was publicly reported by FireEye.
This document was written by Will Dormann, Fred Long, Michael Orlando, and David Svoboda.
CVE IDs: | CVE-2012-4681 |
---|---|
Date Public: | 2012-08-26 Date First Published: |
blog.eset.ie/2012/08/30/java-zero-day-vulnerability-time-to-disable-java-in-your-browser-at-least/
blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
docs.oracle.com/javase/7/docs/api/java/lang/System.html#setSecurityManager%28java.lang.SecurityManager%29
docs.oracle.com/javase/7/docs/technotes/guides/deployment/deployment-guide/jcp.html#java
docs.oracle.com/javase/7/docs/technotes/guides/javaws/developersguide/syntax.html
docs.oracle.com/javase/7/docs/technotes/guides/security/smPortGuide.html
docs.oracle.com/javase/tutorial/essential/environment/security.html
mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020065.html
mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020083.html
support.microsoft.com/kb/182569
support.microsoft.com/kb/2751647
www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html
www.oracle.com/technetwork/java/javase/downloads/index.html
www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
www.security-explorations.com/en/SE-2012-01-faq.html
community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day
support.apple.com/kb/HT5241
support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets
www.java.com/en/download/help/enable_browser.xml