Carnegie Mellon University Website Home Page

SECURITY ALERT: Critical Vulnerability in Java version 7 (or 1.7) 8/29/2012

(US Eastern Time)
DAY: Wednesday
DATE: August 29, 2012


Windows, Mac and Linux users running Java version 7 (or 1.7).


A critical vulnerability has been found in Java and it is being actively exploited to compromise computers. Based on current information, only computers running Java version 7 (or 1.7) are vulnerable. Computers running Java 6 and earlier do not appear to be affected. To date, no patch has been released by Oracle to correct this vulnerability. The Information Security Office is actively monitoring and blocking known malicious sites.


Users should verify which version of Java is being used by their browser(s). This can be done by using the Patch Check tool available on the Information Security Office website. Be sure to verify the version of Java for each browser that you use.

• If you are running Java version 6 (or 1.6), no additional action is needed at this time. An update to this alert will be published if any new information shows that other versions of Java are affected.

• If you are running Java version 7 (or 1.7), it is recommended that you disable the Java plug-in within your browser(s) until a patch is made available. If Java is required for certain Web applications that you use, it is recommended that you leave Java enabled on one browser for this purpose and use a different browser, with Java disabled, for more general Internet use. An update to this alert will be published once a patch is released for this vulnerability.

NOTE: Users may need to have administrative access to their computer to be able to disable browser plug-ins like Java. If you have a departmental system administrator or you are a DSP client, you should check with that person or group before attempting to disable Java. This should not be an issue for those that manage their own computer.


Instructions on how to disable the Java plug-in for your browser can be found at the following locations:

Visit the following location if you would like to verify that Java has been properly disabled:


Additional information about this vulnerability can be found at the following location:


Please direct any questions or comments to the Computing Services Help Center (412-268-HELP or or to your departmental administrator or DSP consultant.