National Cyber Awareness System
US-CERT Alert TA12-240A
Oracle Java 7 Security Manager Bypass Vulnerability
Original release date: August 27, 2012
Last revised: --
Any system using Oracle Java 7 (1.7, 1.7.0) including:
* Java Platform Standard Edition 7 (Java SE 7)
* Java SE Development Kit (JDK 7)
* Java SE Runtime Environment (JRE 7)
Web browsers using the Java 7 Plug-in are at high risk.
A vulnerability in the way Java 7 restricts the permissions of Java
applets could allow an attacker to execute arbitrary commands on a
A vulnerability in the Java Security Manager allows a Java applet
to grant itself permission to execute arbitrary operating system
commands. An attacker could use social engineering techniques to
entice a user to visit a link to a web site hosting a malicious
Any web browser using the Java 7 Plug-in is affected.
Reports indicate this vulnerability is being actively exploited,
and exploit code is publicly available.
By convincing a user to load a malicious Java applet, an attacker
could execute arbitrary operating system commands on a vulnerable
system with the privileges of the Java Plug-in process.
Disable the Java Plug-in
A better solution(s): Use OpenJDK Java or Oracle Java 6 ..