Java 0-Day patched as Java 7 U 11 released

Published: 2013-01-13
Last Updated: 2013-01-13 21:36:56 UTC
by Stephen Hall (Version: 1)
9 comment(s)

Oracle has released Java Update 11 which addresses the 0-day vulnerability referenced CVE-2013-0422. 

Release notes are available on the Oracle Web Site.

The release also contains a reminder to 'reactivate' your Java installation in the control panel if you turned it off, or to reactivate it in Firefox. Watch for the rush now.

Thanks to Michael and PSZ for the heads-up.

Steve

 

Keywords: 0 Day java
9 comment(s)

Comments

Thanks for the report.
I ran the uninstaller in CCleaner just because the Word out there was sounding a bit scary.
And I removed all remnants in the folders in windows manually and with JAVARA.
raproducts.org/wordpress/

Now I'm downloading the Versions so I can Re-Install them.
Thank You,
BC
" The release also contains a reminder to 'reactivate' your Java installation in the control panel if you turned it off, or to reactivate it in Firefox. Watch for the rush now."

Personally, I would recommend, for most people, that the browser plugin be left turned off permanently if possible.
(Definitely update, or uninstall, however)

Most users will rarely require a site that uses java applets, so keep java plugin shut off if at all possible; even with the vuln patched it should be seen as a big risk, due to Java's apparently inadequate sandboxing.

The harder problem is the MS Internet Explorer vulnerabilities.

Haven't researched it but this just hit a news site here in NZ
http://www.stuff.co.nz/technology/digital-living/8175388/Java-update-still-has-bugs-says-expert
To Doug's point, this issue might not be completely resolved--> http://www.zdnet.com/security-experts-on-java-fixing-zero-day-exploit-could-take-two-years-7000009756/
I won't reactive it. PERIOD.
Don't install it unless you need it. Less than 0.2% of public websites need it (W2Tech http://w3techs.com/technologies/overview/client_side_language/all)

Follow CERT guidance on disabling it in the IE Internet zone http://www.kb.cert.org/vuls/id/636312
[
Don't install it unless you need it. Less than 0.2% of public websites need it (W2Tech http://w3techs.com/technologies/overview/client_side_language/all)

Follow CERT guidance on disabling it in the IE Internet zone http://www.kb.cert.org/vuls/id/636312
posted by Cricket, Mon Jan 14 2013, 16:25 ]
^^^^^
If what Cricket says is true;
Then why are we bothering to use this piece of work?

I'm going to unwind it altogether.

Mr.H.E.Clarke,III
7u11 only fixes the current o-day, but not the underlying vulnerability.

The current Java7update 11 release update only fixes CVE-2012-3174; CVE-2013-0422 remains intact and Java 7 is still vulnerable. All an attacker need do is mix a new cocktail using the CVE-2012-3174 vulnerability plus a new twist and here we go all over again.

Immunity products has already verified this here -
http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html
- http://seclists.org/fulldisclosure/2013/Jan/142
18 Jan 2013 - "... We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 [1] (JRE version 1.7.0_11-b21)... two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today [4] (along with a working Proof of Concept code)..."
.

Diary Archives