The Catholic University of America

Java Zero Day Exploit - January 2013

CERT reported on 10 Jan 2013 that Java 7 Update 10 and earlier Java 7 versions contain a vulnerability that can allow a remote attacker to execute arbitrary code on a vulnerable system.  Oracle has since updated this information to state that Java 7 Update 13 and earlier, Java 6 Update 39 and earlier and several other earlier versions are vulnerable.

Oracle has provided an updated version to address this vulnerability. 

University Computers

Java is not needed by most websites and applications. CPIT recommends that you disable Java in the web browsers on your assigned computer. This article on the Oracle Java website describes how to do this: How do I disable Java in my web browser?  But see the Notes section below for important caveats, as Java is required by certain applications used on campus.

If you are not using these applications (see Notes section below), but you do want to continue to use Java in your web browser, you can update it to the current version on your Windows 7 computer by navigating to Start > Control Panel > Programs, Get Programs and selecting Java 7.

The Microsoft antivirus engine used on campus Windows computers detects this threat.  You should exercise caution when browsing the web if Java is enabled in the browser--visit only well-known sites.

Personally-Owned Computers

The U.S. Department of Homeland Security continues to recommend that you disable or uninstall (Windows, Mac OS X) Java on your computer.

Make sure your antivirus software is enabled and has the latest definitions installed.

Exercise caution when browsing the web--visit only well-known sites.

Notes

Java is required in order to use the chat or virtual classroom features in Blackboard.

If you are an employee who uses Cardinal Advancement or WebNow, a specific version of Java is required, so you will need to leave Java enabled in the browser you use for these applicatons.  Do not attempt to update it to a newer version. Please disable Java in your other browers.

If you do leave Java enabled in your browser, please restrict your web browsing to well-known sites.

More Information

Oracle: Updated Release of the February 2013 Oracle Java SE Critical Patch Update

CERT Vulnerability Note VU#625617: Java 7 fails to restrict access to privileged code

DHS US-CERT Alert (TA13-010A): Oracle Java 7 Security Manager Bypass Vulnerability

KrebsonSecurity: What You Need to Know About the Java Exploit