Surprise, another serious Java vulnerability (VU#625617, CVE-2013-0422), similar in some ways to the last serious Java vulnerability (VU#636312, CVE-2012-4681), has been discovered. Self-quoting from last time:

We strongly recommend disabling Java support in web browsers—and also applying any and all Java security updates.

Is installing the [7u7] update necessary? Yes. Is it sufficient? No.

Not much has changed. Like CVE-2012-4681, this new vulnerability doesn’t involve memory corruption, so EMET and other runtime mitigation techniques won’t help you. Java is cross platform, accessible via web browsers, and has architectural soft spots related to reflection, SecurityManager, and the Java sandbox. The Next Generation Java Plug-in (used by default) runs out-of-process, so web browser sandboxing andInternet Explorer Protected Mode are out of the way. These are some of the reasons that make Java an attractive target for attack. And that’s why (self-quoting again):

We strongly recommend disabling Java support in web browsers. And leave it off.

As mentioned earlier, Java 7u10 now provides a one-click option to disable Java in web browsers along with some other security enhancements. This is a huge improvement over the previous situation, especially forInternet Explorer.

We have confirmed that VU#625617 can be used to reliably execute code on Windows, OS X, and Linux platforms. And the exploit code for the vulnerability is publicly available and already incorporated into exploit kits. This should be enough motivation for you to turn Java off. How can you determine whether you need Java in your browser? Turn it off and see how many web sites break. If the web works fine, then leave it off. You may be pleasantly surprised (and safer as a result).

Conclusion

A few months back SonicWALL was bought by Dell.  We have been nervous about this somewhat odd pairing.  We are encouraged by the prompt action the company took in recognizing and blocking this new threat.

SonicWALL TZ-200

This device is not cheap.  The SonicWALL website lists the base price as $495.  If you want wifi, add another $100.  But SonicWALL is really in the subscription business.  Basic protection, called the “Comprehensive Gateway Security Suite Bundle,” costs $330 for one year.  Substantial discounts are available for multi-year contracts: $490 for two years and $605 for three.  I recommend starting with a one-year contract.  SonicWALL offers free trials of some other options.  For us, the most attractive option is probably the Comprehensive Anti-Spam Service ($225 for one year, multi-year discounts available).  You can click here to see the complete menu.

But discounts are available through SonicWALL authorized dealers.  We bought ours from Pacific Computer Supply in Mountain View.  Search their site for TZ200. And remember the prices quoted generally are for a bundle of hardware and various security services.

From the SonicWALL website:

The Dell™ SonicWALL™ TZ 200 Series integrates Unified Threat Management with critical business continuity features to provide a powerful branch office and small business security platform. The TZ 200 provides critical failover capabilities for optimal uptime, with support through USB 3G and analog modem failover as well as multi WAN failover. Sophisticated anti-spam capabilities further add to the protection provided by Unified Threat Management (UTM) services, delivering a powerful and efficient security solution to distributed enterprises, small- to medium-sized businesses (SMBs), retail locations and managed service providers.

SonicWALL’s headquarters are in San Jose.  On Twitter they are @sonicwall.  Other contact information