Network Services Security Alert: Java 7 “Zero Day”

Rev 2013.01.14 03

CU*Answers Network Services takes network security very seriously. We are sending this alert to you to help you maintain your network security.

A “zero day” exploit of Oracle’s Java 7 Update 10 and earlier versions of 7 hit the Internet late last week and made national news over the weekend. The vulnerability could allow a remote, unauthenticated attacker to execute arbitrary code and completely compromise vulnerable PCs. Prior to Sunday there were no vendor patches available. According to both CERT and NIST, the vulnerability is limited to Java 7 versions prior to Update 11.

What we are doing

  1. Oracle released update 11 for Java 7 late on January 13. Network Services will be emailing software inventory reports to you this week.
    • Review these reports for any Java 7 versions prior to Update 11 installed on your network and plan to upgrade them ASAP.
    • Network Services can assist with the upgrades as part of your Complete Care allotment or on an hourly basis.
  2. Network Services is rolling out updates from your anti-virus vendor designed to thwart the attacks. Anti-virus updates are a mitigation strategy, but upgrading to Java 7 Update 11, or completely removing Java if not necessary, is still the best option.
  3. Clients with managed VMware VCenter Essentials for software patching protection will be contacted by Network Services to coordinate patching activities.
  4. If you operate TCDs or TCRs with Lutzwolf middleware software, the Java version installed is Java 6, which is not affected by this particular vulnerability. Please make sure your Java 6 version is fully patched but do not upgrade to Java 7 as the middleware is not yet compatible with this version.

 

What you can do

  1. Review the software inventory we are providing and remove Java from computers that do not require it for business operations. Removing it means you don’t have to worry about patching it in the future. (Do not remove it from your cash dispenser PCs).
  2. Do not allow users to run with PC administrator privileges.
  3. Limit web site access to those required for business operations.
  4. Think before you click. Never agree to run an unsigned application, Java or otherwise.
  5. Advise employees to keep their home computers patched, including this new Java update, and require it for any PC used for remote access to your corporate network.
  6. Disable Java in web browsers that do not require it for business operations. Consider using a dedicated browser for Java functions and a second one with Java disabled for Internet browsing.
  7. Check netserv.cuanswers.com for the latest information.

References:

CERT: http://www.kb.cert.org/vuls/id/625617

Oracle: http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

NIST: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422

Java.com: http://java.com


www.cuasterisk.com | Phone: 616.285.5711 | Toll Free: 800.327.3478 x167 | Fax: 616.285.5735