Java 7 Security Manager Vulnerability (zero-day)

A recently reported zero-day vulnerability in the Java 7 Security Manager allows a Java applet to grant itself permission to execute arbitrary code. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet or compromise a legitimate web site and upload a malicious Java applet (a "drive-by download" attack). Reports indicate this vulnerability is being actively exploited, and exploit code is publicly available

Any system using Oracle Java 7 (1.7, 1.7.0) is affected, including:

  • Java Platform Standard Edition 7 (Java SE 7)
  • Java SE Development Kit (JDK 7)
  • Java SE Runtime Environment (JRE 7)

All versions of Java 7 through update 10 are affected.  Web browsers using the Java 7 plug-in are at high risk.

Technical details about this vulnerability are available from here. Oracle has released a Security Alert that provides update information to mitigate this vulnerability and you can find the latest version of Java SE here.