Yesterday I mentioned how a new zero day vulnerability had been discovered for Java and you may be forgiven for thinking that was an issue that could only affect Windows users.
Of course it isn’t – the exploit also affects Mac and Linux users too.
In fact, the Metasploit Exploit Team have already created a module and successfully attacked the following:
- Windows 7 SP1 with Java 7 Update 6
- Mozilla Firefox on Ubuntu Linux 10.04
- Internet Explorer / Mozilla Firefox / Chrome on Windows XP
- Internet Explorer / Mozilla Firefox on Windows Vista
- Internet Explorer / Mozilla Firefox on Windows 7
- Safari on OS X 10.7.4
Considering the wide range of targets that this opens up it seems likely that attacks, though currently limited, may well be developed further, especially as Oracle aren’t well known for releasing patches out of cycle (the next scheduled one is for October 16th).
In the meantime, as I said yesterday, the best course of action would be to severely limit your use of Java or uninstall it completely, including the Java browser plugin.
Alternatively, if you “qualify”, you may wish to try out an unofficial patch which is currently available from Deep End Research.