Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Java 0-Day patched as Java 7 U 11 released - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Java 0-Day patched as Java 7 U 11 released

Oracle has released Java Update 11 which addresses the 0-day vulnerability referenced CVE-2013-0422. 

Release notes are available on the Oracle Web Site.

The release also contains a reminder to 'reactivate' your Java installation in the control panel if you turned it off, or to reactivate it in Firefox. Watch for the rush now.

Thanks to Michael and PSZ for the heads-up.

Steve

 

Stephen

89 Posts
ISC Handler
Thanks for the report.
I ran the uninstaller in CCleaner just because the Word out there was sounding a bit scary.
And I removed all remnants in the folders in windows manually and with JAVARA.
raproducts.org/wordpress/

Now I'm downloading the Versions so I can Re-Install them.
Thank You,
BC
Anonymous
" The release also contains a reminder to 'reactivate' your Java installation in the control panel if you turned it off, or to reactivate it in Firefox. Watch for the rush now."

Personally, I would recommend, for most people, that the browser plugin be left turned off permanently if possible.
(Definitely update, or uninstall, however)

Most users will rarely require a site that uses java applets, so keep java plugin shut off if at all possible; even with the vuln patched it should be seen as a big risk, due to Java's apparently inadequate sandboxing.

The harder problem is the MS Internet Explorer vulnerabilities.

Mysid

146 Posts
Haven't researched it but this just hit a news site here in NZ
http://www.stuff.co.nz/technology/digital-living/8175388/Java-update-still-has-bugs-says-expert
Doug

2 Posts
To Doug's point, this issue might not be completely resolved--> http://www.zdnet.com/security-experts-on-java-fixing-zero-day-exploit-could-take-two-years-7000009756/
Resist0r

1 Posts
I won't reactive it. PERIOD.
MarlonBorba

3 Posts
Don't install it unless you need it. Less than 0.2% of public websites need it (W2Tech http://w3techs.com/technologies/overview/client_side_language/all)

Follow CERT guidance on disabling it in the IE Internet zone http://www.kb.cert.org/vuls/id/636312
MarlonBorba
7 Posts
[
Don't install it unless you need it. Less than 0.2% of public websites need it (W2Tech http://w3techs.com/technologies/overview/client_side_language/all)

Follow CERT guidance on disabling it in the IE Internet zone http://www.kb.cert.org/vuls/id/636312
posted by Cricket, Mon Jan 14 2013, 16:25 ]
^^^^^
If what Cricket says is true;
Then why are we bothering to use this piece of work?

I'm going to unwind it altogether.

Mr.H.E.Clarke,III
MarlonBorba
20 Posts
7u11 only fixes the current o-day, but not the underlying vulnerability.

The current Java7update 11 release update only fixes CVE-2012-3174; CVE-2013-0422 remains intact and Java 7 is still vulnerable. All an attacker need do is mix a new cocktail using the CVE-2012-3174 vulnerability plus a new twist and here we go all over again.

Immunity products has already verified this here -
http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html
toymaster

13 Posts
- http://seclists.org/fulldisclosure/2013/Jan/142
18 Jan 2013 - "... We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 [1] (JRE version 1.7.0_11-b21)... two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today [4] (along with a working Proof of Concept code)..."
.
Jack

160 Posts

Sign Up for Free or Log In to start participating in the conversation!