Java 7 Update 11 Still has a Flaw

Published: 2013-01-19
Last Updated: 2013-01-19 22:27:27 UTC
by Guy Bruneau (Version: 1)
9 comment(s)

According to a posting yesterday by Adam Gowdiak of Security Explorations to Full Disclosure, Java 7 Update 11 (CVE-2013-0422) is still vulnerable as "[...] a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21)."[1]

The MBeanInstantiator bug hasn't yet been addressed. Yesterday, Security Exploration reported two more vulnerabilities to Oracle along with Proof of Concept code (issue 50 and 51) [3].

We received several comments from our readers after the patch was released [4], how many of you have followed CERT's advice to disable Java content in their web browsers after they updated to 7u11? Please take a minute to answer our poll, What is your main concern about Java?



Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

I will be teaching SEC 503 in Toronto this coming June

9 comment(s)


Diary Archives