Web browsers with plug-ins that allow interaction with Oracle Java or Adobe Shockwave Player and Reader may be vulnerable. An unauthenticated, remote attacker could exploit unpatched vulnerabilities, or any new vulnerability that may arise.
An unauthenticated, remote attacker could typically exploit a Java vulnerability in web browsers by convincing a user to follow a malicious URL. When the user visits the URL, it could allow the attacker to execute arbitrary code on the targeted system. Multiple vendors, such as Microsoft, Google, Apple, and Mozilla, have web browser products with the option to disable Java and the Java plug-in in web browsers. Information on how to disable Java in web browsers is available at the following links:
To exploit a vulnerability in Adobe Shockwave Player or Reader, an attacker could also use the same or similar tactics such as convincing a user to view a malicious .swf
file. If the user views the malicious file, an attacker could execute arbitrary code on the targeted system. Information on how to disable Shockwave and PDF plug-ins in web browsers is available at the following links:
For additional information about Java risks, mitigations, and best practices, see Java Security Best Practices
US-CERT has released additional information about web browser risks, mitigations, and best practices at the following link: Securing Your Web Browser