0
   

Java Security Breach (Java 7 Update 10 and earlier)

 
 
oralloy
 
Reply Sat 12 Jan, 2013 01:02 pm

Quote:
Java 7 Update 10 and earlier Java 7 versions contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Quote:
This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available. We have confirmed that Windows, OS X, and Linux platforms are affected. Other platforms that use Oracle Java 7 may also be affected.


http://www.us-cert.gov/cas/techalerts/TA13-010A.html

http://www.kb.cert.org/vuls/id/625617
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 0 • Views: 2,230 • Replies: 3
No top replies

 
oralloy
 
  1  
Reply Sun 13 Jan, 2013 06:54 pm

Java 7 Update 11 has been released. This should fix the problem.
oralloy
 
  1  
Reply Tue 15 Jan, 2013 09:48 am
@oralloy,
oralloy wrote:
Java 7 Update 11 has been released. This should fix the problem.


Only a partial fix, it seems:
http://www.zdnet.com/security-experts-on-java-fixing-zero-day-exploit-could-take-two-years-7000009756/



If anyone wants to roll back to Java 6, they can download it here:
http://www.java.com/en/download/manual_v6.jsp

They are only scheduled to release security updates for Java 6 through the end of February 2013. But the last version might be safe for a little while longer than that, since the platform is so mature, with all the bugs already worked out of it, and since the hackers will mostly be focused on compromising Java 7.

If it seems wise to switch back to Java 7 in a month or two in order to keep getting security patches, that will at least give them a little while longer to work out their problems with Java 7.
0 Replies
 
oralloy
 
  1  
Reply Thu 17 Jan, 2013 03:41 am

Found this line in the CERT knowledgebase article:

Quote:
Immunity has indicated that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains.


http://www.kb.cert.org/vuls/id/625617



Following their link to the "immunity" article, there is:

Quote:
After further analysis of the Oracle Java patch (Java 7 update 11), Immunity was able to identify that only one of the two bugs were fixed, making Java still vulnerable to one of the bugs used in the exploit found in the wild.

The patch did stop the exploit, fixing one of its components. But an attacker with enough knowledge of the Java code base and the help of another zero day bug to replace the one fixed can easily continue compromising users. (Assuming they now use a signed Java applet - one of the other changes introduced in this patch.)

Java is indeed a constant target for attackers, and nobody should be surprised if an attacker just replaces the patched bug with a different one and starts compromising machines again. This is why it is important for Oracle and their user base to start paying special attention to each bug because with an exploitation chain as the one is needed these days, every bug matters.


http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html
0 Replies
 
 

Related Topics

Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » Java Security Breach (Java 7 Update 10 and earlier)
Copyright © 2020 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.04 seconds on 08/09/2020 at 05:23:48