- January 23, 2013
- 4:43 pm
- Steve Christensen
ITS security alert: Java 7 (1.7) vulnerability
Many of you may have read in the news that researchers have found a Java vulnerability that attackers are using to hijack computers on the web. Java, a popular programming language in use, particularly for web applications, is reportedly installed on more than 10 million computers. At this time, Loyola’s University Information Security Office has not identified any infections, but we are monitoring the situation closely and are working to make a solution available as soon as possible.
What Should I Do?
The default Java version level that ITS installs on all University-owned computers is Java Version 6 (1.6). To check which version you are currently running, please click here. If you realize that your University-owned computer is running Java Version 7 (1.7), or if you suspect your University-owned computer may have a virus, please contact the ITS help desk right away at 8.4ITS or email@example.com.
If you have Version 6 (1.6), please do not update your Java version. Updating your Java version will introduce this new version level on your computer and most likely make your computer vulnerable to attack. We will continue checking computers via inventory systems to detect if any University-owned computers are running Java version 7 (1.7). If we identify computers running version 7, we will formulate a mitigation plan. In the meantime, researchers are advising computer owners with Java 7 to disable Java in all browsers. At this time, this is the only known solution.
Please also note that this is not limited to computers at Loyola, so please take the time to check your personal computers at home. We also recommend that users use Firefox wherever possible. Firefox contains a feature called “Click to Play,” which will warn you when a page you are visiting contains Java. This adds an extra layer of protection so that you can make sure you are intentionally at the website you intend.
The bugs in question are in Java 7, also known as version 1.7, and affect Windows, Mac OS X, and Linux operating systems running a web browser with a Java plugin enabled. Java 6 (1.6) does not appear to contain this vulnerability, although other vulnerabilities may exist.
What Happens If I Have a Vulnerable Version of Java?
Browsing the web with a vulnerable version of Java installed and enabled means that simply visiting a website is enough for an attacker to compromise your computer. This is known as a “drive-by” download. While “safe browsing” to only trusted websites may limit your exposure to “drive-by” downloads, it does not address the underlying vulnerability and prevent exploitation. The malicious software installed through these attacks may collect user names and passwords used on the compromised computer, including credentials for sensitive websites, bank accounts, e-mail, etc.
Again, if you realize that your University-owned computer is running Java Version 7 (1.7), or if you suspect your University-owned computer may have a virus, please contact the ITS help desk immediately.
Information Technology Services