Posted by: Ed Tittel
Quick: visit http://www.isjavaexploitable.com/ on any PC close at hand. There are a number of Java exploits rampant in the wild at the moment, so you’ll want to see a resulting screen that looks like this if you do have Java installed:
On the other hand, if you don’t have Java installed, you’ll see something like this:
But if your installed version of Java is vulnerable to the latest zero-day exploits, you’ll see the following warning instead:
What to do if one or more machines shows up as vulnerable? Turn off Java is the safest and simplest response. Instructions for all major browsers are posted on the KrebsOnSecurity site associated with metasploit. This is a bona-fide zero day exploit folks, and may require immediate action!
Note: After a heckuva hullaballo, Oracle posted Version 7 Update 7 for Java today (8/30/2012) and it fixes all of the vulnerabilities that isjavaexploitable can detect. Visit www.java.com/getjava/ to update yours immediately! Now, the only open questions are: 1. Have all 19 vulnerabilities that Polish company Security Explorations reported to Oracle on April 2, 2012, been fixed? and 2. Have the remaining 10 vulnerabilities that they further found and reported after that date been fixed as well? I certainly hope so, but you’ll want to keep an eye on this situation, and read Lucian Constantin’s excellent Computerworld story from August 29 entitled “Oracle knew about zero-day Java vulnerabilities for months, researcher says” for more information, and an explanation as to why I remain to be fully convinced that all the exposures have been handled.