A high risk Java vulnerability was announced on 11 January 2013. It allows a Java application to grant itself permission to execute arbitrary code. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java application.
Any web browser using the Java version 7 plug-in is affected. Some common Java tools like Java Deployment Toolkit plug-in and Java Web Start can also be used as attack vectors. Reports indicate this vulnerability is being actively exploited, and the exploit code is publicly available.
Oracle released Java 7 Update 11 with fixes to the vulnerability on 14 January 2013, and advised users to immediately install this update to address the security issue. However, the update still left certain security bugs unfixed; and Oracle has subsequently announced several new update releases to address the outstanding vulnerabilities. As of 22 February 2013, the latest release is Java 7 Update 15.
Our Response and Recommendations
In response to the Java vulnerability, ITS has applied the latest signature in the Internet firewall to protect against potential attacks made possible due to the vulnerability, and will continue to apply new signatures as they become available.
ITS has also reviewed all central IT services accessible through the HKU Portal on their dependency on Java and concluded that most applications would continue to operate with Java on web browsers disabled except for the following –
- Financial Functions for Operational Staff (FFOS)
- IHP facilities booking system
If you need to use any of the above applications or access any Java-based websites, you are advised to upgrade Java on your PC/notebook to the latest release (currently, Update 15 for Java 7 or Update 41 for Java 6). In order to mitigate risk associated with new Java vulnerabilities in the future, you may want to disable Java, and only enable it when you need it for accessing Java-based applications or websites.
Finally, we would like to remind our users that security intrusion is happening in the Internet world every day. We must remain vigilant to refrain from accessing unknown websites, particularly those with links embedded in unsolicited spam/phishing emails; and always observe information security measures, in order for the University to stay safe in the Internet connected world.
If you need any assistance, please contact us at email@example.com.
Tel: 2859 2497