AfterDawn: Tech news

Oracle patches Java vulnerability

Written by Andre Yoskowitz @ 14 Jan 2013 10:38 User comments (4)

Oracle patches Java vulnerability

Oracle has quickly patched the Java vulnerability that was bad it forced Apple and others to block Java from their browsers.
Says Oracle: This Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability) and another vulnerability affecting Java running in web browsers. These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software.

The fixes in this Alert include a change to the default Java Security Level setting from "Medium" to "High". With the "High" setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run.

These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.



Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2013-0422 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.


Check it here: CVE-2013-0422

Original Story:
A huge security exploit was discovered for Java versions 4 through 7 earlier this week, prompting the U.S. Department of Homeland Security to recommend users block the browser plug-in until Oracle can patch it.

Instead of giving users the choice, Apple has gone the safe route, blocking the plug-in from within Mac OS X.

The vulnerability allows remote installation of malware such as keyloggers and software that could turn your PC into a zombie for a botnet.

"We are currently unaware of a practical solution to this problem," said Homeland Security's Computer Emergency Readiness Team (CERT). "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."

Apple was able to block the plug-in by updating its "Xprotect.plist" blacklist "to require a minimum of 1.7.0_10-b19 version of Java 7," which is set for release in a few weeks. All other versions fail the anti-malware checks of the OS.

Previous Next  

4 user comments

118.1.2013 18:47

Yet the patched version has been demonstrated to be insecure as well.

http://krebsonsecurity.com/2013/01/new-...5000-per-buyer/

This message has been edited since its posting. Latest edit was made on 18 Jan 2013 @ 6:47

230.1.2013 02:10

Is it fully secured now?

330.1.2013 13:23

Originally posted by jishnub:
Is it fully secured now?
Since no updated patch has been released by Oracle in the interim, it would appear the answer is "no". There have been many comments on the Krebsonsecurity article referenced in the link I originally posted -- some highly relevant, some which are far less worthwhile to 'unhide' and read because of their low user-rating and lack of brevity -- but the last brief comment from 1/27/2013 is definitely worthwhile and provides this reference link to a more thorough assessment and overview of the vulnerability:

http://seclists.org/fulldisclosure/2013/Jan/241

43.2.2013 17:55

New patch pushed out early and available now addresses many vulnerabilities. This is apparently the last update for Java 6.

Comments have been disabled for this article.

News archive