Java 0-day impact to Java 6 (and beyond?)
The ISC has covered Java recently a number of times with Johannes's commentary and the January 2013 OUCH! heads-up by Adam of the issues with Java 7 update 10 and the current 0-day doing the rounds.
However, the guys over at Immunity have released their analysis (PDF) of the MBeanInstantiator.findClass 0-day. Other than the excellent review of the 0-day they comment that:
"This vulnerability affects JDK 6 (at least from update 10 and greater) up to the latest JDK 7 update 10. The comments in the source code state that these classes MBeanInstantiator and JmxMBeanServer are available since JDK 5, but we did not check versions before JDK 6 update 10. "
So, this tells us that if you are using JDK 6 this 0-day likely now includes you as a potential target, and maybe even if you have systems with JDK 5 installed.
Let's hope Oracle patching this one soon, and if the article is correct, completely this time.
Steve
https://www.sans.edu
