Oracle confirmed on Saturday the worst kept secret 0-day vulnerability in Java 7 and told Reuters that “a fix will be available shortly.” On Thursday, the U.S. Computer Emergency Readiness Team, or US-CERT, issued the following findings about the falty software.
- Overview – Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
- Description – Java 7 Update 10 and earlier contain an unspecified remote-code-execution vulnerability. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits.
- Impact – By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.
In response to the threat, Apple blocked Java 7 on OS X 10.6 and up while Mozilla included it on their add-on blocklist. The main concern over the software seems to be a security hole, which would allow an individual to attack a person's machine by installing malicious content. Not until Oracle releases the Java 7 Update 11 will Mac users and Firefox users be able to use the plugin again.