The U.S. Department of Homeland Security has warned computer users to disable or uninstall Java software.
Read more here: charlotteobserver.com
Originally posted by DontTreadOnMe
Well, the DHS wasn't the deciding factor, but ZDnet is have some respect for.
I did disable...and the instructions are here.
I'm not sure what Java even does...or how often if is used on my PC.
I do know Amazon Cloud uses it to back up stuff.....
By leveraging the a vulnerability in the Java Management Extensions (JMX) MBean components, unprivileged Java code can access restricted classes. By using that vulnerability in conjunction with a second vulnerability involving the Reflection API and the invokeWithArguments method of the MethodHandle class, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier are affected.
This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available.
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability.
We are currently unaware of a practical solution to this problem. Please consider the following workarounds:
Starting with Java Version 7 Update 10, a new security feature has been added to Java. Some web pages may include content or apps that use the Java plug-in, and these can now be disabled using a single option in the Java Control Panel.
CERT Releases Oracle Java 7 Security Advisory added Thursday, January 10, 2013 at 4:20 pm | updated Friday, January 11, 2013 at 4:42 pm The CERT Program has released Vulnerability Note VU#625617 to address a vulnerability in Oracle Java Runtime Environment (JRE) 7 and earlier that is currently being exploited in the wild. This vulnerability may allow an attacker to execute arbitrary code on vulnerable systems. US-CERT encourages users and administrators to review CERT Vulnerability Note VU#625617 and US-CERT Alert TA13-010A. Due to the number and severity of this and prior Java vulnerabilities, it is recommended that Java be disabled temporarily in web browsers as described in the "Solution" section of the US-CERT Alert and in the Oracle Technical Note "Setting the Security Level of the Java Client."