According to this article, Security Explorations has identified a new vulnerability (they are calling it a zero day but, as I understand it, it’s just a proof of concept at this point) in the latest version of Java. There’s ample detail in the linked story but I wanted to touch base on just two key points:
- What does this mean for me? Basically, if you have Java installed on your computer, even the latest version, an attacker can create a program that, when you run it, will give the attacker the ability to control your computer with the same rights and permissions that you have. If you are a limited user, the attacker will be able to operate as a limited user. If you are an administrator on your computer (or your server and / or domain), the attacker will have those same administrative privileges.
- What do I need to do? If you aren’t using it, I would remove Java. I’ve never been a huge fan but it’s a necessary evil in many cases. If you do have it installed and do need it, be very wary of where you’re going to and how Java is being used.
We will try to post more as additional details arise. If Oracle can get a patch out quick (that’s quickly deployed), this can be a huge win. If they can’t and this ends up being another snafu like the one that the most recent patch was supposed to fix (but arguably did not), it will be yet another black eye for Oracle.