Disable Java! Immediately!
Due to a combination of persistent attacks against this site and the discovery of a flaw in Oracle’s Java (used to run the standard chat client) I have changed the standard chat client and instead, am having it launched as a Flash based application.
[info_box] UPDATE: This is especially important for those of you on Windows systems using Internet Explorer as this is currently the platform being targeted, but all operating systems and browsers are vulnerable should other entities choose to create variants of the original attack. It has also been said that only the latest Java version 7 (code version 1.7) is vulnerable, which means that most Apple computers are going to be safe at this point since JRE 7 has only become available for Macs very recently, so unless you manually updated your Java from Java.com to JRE 7 (code version 1.7) you should be safe. Windows users – you’re fucked unless running an older version of Java. [/info_box]
This is simply a precaution – there’s no known Java exploit through this site or through the Java that had been used here for the chat.
Within days of its discovery it appears that a new zero day flaw in Java could soon be in widespread use.
FireEye first reported on the flaw being used in a targeted attack originating from a Chinese web server. The web page hosting the exploit is timestamped August 22nd, 2012.
The flaw affects all versions of Oracle’s Java 7 (version 1.7) on all supported platforms. Java 6 and earlier are unaffected. No patch is available at this time.
The next scheduled update for Java is October 16th, 2012. Oracle has a bad track record for releasing timely patches for Java exploits, but with all the attention this flaw is getting I would hope it would release an out of cycle fix if for no other reason than to save face.
Early reports suggested that Google Chrome was immune to the problem, but that appears to have been a bug in the attacker’s code. The Metaploit project released proof of concept code that exploits the flaw on all browsers and operating systems (Windows, OS X, Linux).
This exploit is extremely dangerous because it allows attackers to run any code they wish to run on your computer simply by visiting a site with corrupted Java code running on it.
Rather than try to post a bunch of links or instructions on how to disable Java in your browser, I suggest you simply Google or Bing a phrase like “disable Java Internet Explorer” or “disable Java Firefox” without the quotes.
Oracle may or may not get a fix out in the next few days; it may just wait for it’s next scheduled release date in mid September, but let’s hope not.