Security Advisory for Java Users: Update

Update: 1/14/2013
Oracle has released a software update that will repair the Java vulnerability. CIS advises users to apply the important security patch now, available here.

Please note that that some computers may utilize both Java 6 and Java 7, so it may not be apparent which versions are installed on your computer. As a result, CIS recommends that the fix be manually installed via the above link instead of the Java auto-update feature.

Issue: Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

How you could be affected:  By convincing you to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.

Mitigating actions you can take:  At this time there is no practical solution to this problem. Since Java is required to run various business applications, ISG recommends that you only visit websites that you trust and use Firefox as your primary browser. You may also consider installing its NoScript add-on for extra protection (read more about the NoScript add-on to see if it’s right for you). Chrome offers similar settings for its plugins which block them from running without asking you first.

How to unplug Java from a browser:
Details from US-CERT:  Vulnerability Note VU#625617