CVE-2012-4681 – A Java 0-day is going to hit big time


It is only 48 hours ago that media started reporting about the newly discovered 0-day in Oracle Java version 7. Now we have discovered the first Blackhole exploit kits using this exploit to harm users! And we’re just getting started.

When the news came out that the exploit is likely to be implemented in Blackhole exploit kits, the IT security world listened up, because these kits are one of, if not the, most widespread attack instruments around. Everybody knew: The combination of this new exploit and the exploit kit, with Oracle’s next planned update release almost 2 months away – the impact is going to be huge! And not even 48 hours after the discovery was made public, we have evidence for this run to happen:

We encountered IP ranges that serve various URLs that host a Blackhole exploit kit with the new attack implemented (see example URLs below). Those URLs are very short-living and this is only the tiny tip of the iceberg! We'll keep you updated.



Background information:
What's the problem?
A 0-day vulnerability has been discovered in Oracle's Java 7. According to media reports, attacks so far have only been targeted and not widespread. However, since the exploit code has now been published, there will soon be many exploit packs and other attack scenarios and the number of registered attacks will rise inevitably.

Who is affected?
Users of the following Java versions: Java 7 Update 0 to Java 7 Update 6 are currently at risk as potential victims. Users of Java Version 6 or below do not seem to be affected by this vulnerability – but the use of older versions of Java bears other security risks and we explicitly advise against downgrading!

What should I do now?
Until Oracle provides a suitable patch or update for Java, there is only one way to prevent the effect of the exploit: to deactivate Java 7 for all installed browsers. This is done in two steps, which must both be performed!

Step 1: This is how you deactivate Java for all the browsers you use

  • Close all browser windows
  • In Windows Explorer, go to C:\Program Files (x86)\Java\jre7\bin
  • Search for the file javacpl.exe and execute it as an administrator (right-click the file, choose "Run as administrator") and confirm the displayed prompt with "Yes"
  • Choose: Advanced > Default Java for browsers
  • Remove the checkmark for all displayed browsers
  • If a browser is greyed out, the checkmark there can be removed by pressing the space key
  • Confirm the changes first with "Apply" and then with "OK"
  • If you (also) have the 64-bit version of Java installed, follow these instructions for this version (also) at C:\Program Files\Java\jre7\bin

Step 2: Deactivate Java individually in each installed browser

  • Now you individually deactivate Java in each of the browsers installed on your computer to ensure you're protected – irrespective of whether you use the browser or not.
  • Firefox (current version: 15.0)
    Tools > Add-ons > Plugins > Disable all plug-ins in combination with Java
  • Internet Explorer (current version: 9.0.9)
    Tools > Manage add-ons > set "Show" to "All add-ons"> disable all add-ons related to Oracle America Inc.
  • Google Chrome (current version: 21.0.1180.83)
    Enter chrome://settings/content in the Chrome browser, then > Plug-ins > Disable individual plug-ins > Disable all plug-ins related to Java
  • Safari for Windows (current version 5.1.5)
    Click the cog > Settings > Security > Remove the checkmark for "Activate Java"

This is how you can test whether you've made the right settings for the current threat:

  • In each installed browser, visit the following website:
  • If you see "No working Java was detected on your system [...]" or "Java [...] not executed", the settings are correct
  • If the Java display works in one of the browsers, you have to check the settings for this browser again

Is it possible to simply remove Java 7?
Of course, that is possible. However, there are also legitimate programs on your PC that use Java and without the installed Java components some legitimate program functions might not work properly.

General notes on handling Oracle's Java:

  • In general, it makes sense to always keep Java up-to-date. To find out whether you have the latest version, you can visit the following website:
    Please note: If Java is deactivated in the browser (see instructions above), the online check is naturally not possible. In that case, you can see the version under Start > Control Panel > Java, in the "About" menu item on the "General" tab
  • If you do not have the latest Java version installed, you should first remove all currently installed Java versions before installing the current version. „Keeping old and unsupported versions of Java on your system presents a serious security risk," explains Oracle on its homepage and we can only second that statement
  • So follow Oracle's official instructions for removing old Java versions and download the current version from the official website in order to install it: