Java is indeed an enterprise technology. Solid, scalable, portable and recently… pretty buggy. Latest out-of-band patch released by Oracle (Java7Update11, security alert CVE-2013-0422) seems not enough.
Now comes the “funny bit”: all banks and public authorities in Denmark depend on NemID – authentication scheme powered by a Java applet. The only part in the Java ecosystem being vulnerable in this case (desktop and server apps are unaffected).
This is very unfortunate, because the nature of the exploit enables to gain full control over the computer in almost stealth mode. Many banks in Denmark have issued statements, that users should disable Java for all sites but the ones that rely on NemID for authentication (latest Java update allows to do that). Media have also covered the case pretty well. The question is – will this create enough pressure on Oracle to start seriously fixing Java? Rough estimates say, that fixing it might take as much as 2 years.
But what in the meantime? In case of Denmark this vulnerability is a gift for the dark characters, because every important service relies on it – that means most people have some version of Java installed.
To avoid problems make sure to:
- immediately update to the most recent Java version
- disable Java for sites that do not use NemID (this can be done in Java7Update11 and up)
- use common sense and if unsure, click “No” when a prompt “Do you want to execute this applet” comes up
More about the vulnerability can be found on US-CERT: http://www.kb.cert.org/vuls/id/625617
Article in Danish from DK-CERT: https://www.cert.dk/nyheder/nyheder.shtml?13-01-15-11-16-47