According to a posting yesterday by Adam Gowdiak of Security Explorations to Full Disclosure, Java 7 Update 11 (CVE-2013-0422) is still vulnerable as "[...] a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21)."[1]

The MBeanInstantiator bug hasn't yet been addressed. Yesterday, Security Exploration reported two more vulnerabilities to Oracle along with Proof of Concept code (issue 50 and 51) [3].

We received several comments from our readers after the patch was released [4], how many of you have followed CERT's advice to disable Java content in their web browsers after they updated to 7u11? Please take a minute to answer our poll, What is your main concern about Java?

[1] http://seclists.org/fulldisclosure/2013/Jan/142
[2] http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
[3] http://www.security-explorations.com/en/SE-2012-01-status.html
[4] https://isc.sans.edu/diary/Java+0-Day+patched+as+Java+7+U+11+released/14932
[5] http://www.kb.cert.org/vuls/id/625617
[6] http://www.java.com/en/download/help/disable_browser.xml

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

I will be teaching SEC 503 in Toronto this coming June