Results 1 to 10 of 47

Thread: Java JRE updates/advisories

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. 2012-10-16, 21:28 #8
    AplusWebMaster
    AplusWebMaster is offline
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Java JRE 7u9 / 6u37 released

    FYI...

    Java SE Critical Patch Update Advisory - October 2012
    - http://www.oracle.com/technetwork/to...2-1515924.html
    Oct 16, 2012

    Java JRE 7u9 released
    - http://www.oracle.com/technetwork/ja...s-1859586.html
    Oct 16, 2012

    Release Notes
    - http://www.oracle.com/technetwork/ja...s-1863279.html

    Java JRE 6 Update 37
    - http://www.oracle.com/technetwork/ja...s-1859589.html
    Oct 16, 2012

    Release Notes
    - http://www.oracle.com/technetwork/ja...s-1863283.html

    Java - October 2012 Risk Matrices
    - http://www.oracle.com/technetwork/to...l#AppendixJAVA
    "This Critical Patch Update contains 30 new security fixes for Oracle Java SE. 29 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."
    ___

    - http://atlas.arbor.net/briefs/index#1321617866
    Severity: High Severity
    October 17, 2012
    Oracle releases Java security patches that should be applied as soon as possible.
    Analysis: Given the damage that has been caused by malware infections and system intrusions caused by vulnerable versions of Java being exploited it is likely that the security holes patched herein will also be used by cyber-criminals, nation-state attackers and others in their quest to compromise systems and pursue a malicious agenda. Limiting the scope of browser-based Java to one specific browser that's only used on trusted applications and also wrapping Java on any Microsoft platform with a technology such as EMET to reduce the risk of future exploitation can help provide additional protection for this widely attacked software.

    - http://www.securitytracker.com/id/1027672
    CVE Reference: CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4416, CVE-2012-5067, CVE-2012-5068, CVE-2012-5069, CVE-2012-5070, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5074, CVE-2012-5075, CVE-2012-5076, CVE-2012-5077, CVE-2012-5078, CVE-2012-5079, CVE-2012-5080, CVE-2012-5081, CVE-2012-5082, CVE-2012-5083, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5089
    Oct 17 2012
    Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
    Version(s): 1.4.2_38 and prior, 5.0 Update 36 and prior, 6 Update 35, 7 Update 7 and prior
    Impact: A remote user can take full control of the target system.
    A remote user can access and modify data on the target system.
    A remote user can cause partial denial of service conditions on the target system.
    Solution: The vendor has issued a fix, described in the October 2012 Critical Patch Update advisory.
    The vendor's advisory is available at:
    http://www.oracle.com/technetwork/to...2-1515924.html

    - https://secunia.com/advisories/50949/
    Release Date: 2012-10-17
    Criticality level: Highly critical
    Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
    Where: From remote
    ... vulnerabilities are reported in the following products:
    * JDK and JRE 7 Update 7 and earlier.
    * JDK and JRE 6 Update 35 and earlier.
    * JDK and JRE 5.0 Update 36 and earlier.
    * SDK and JRE 1.4.2_38 and earlier.
    * JavaFX 2.2 and earlier.
    Solution: Apply updates.
    Original Advisory: Oracle:
    http://www.oracle.com/technetwork/to...2-1515924.html
    ___

    - http://javatester.org/
    Oct 17, 2012 - "... not all known bugs were fixed..."

    - http://blogs.computerworld.com/appli...t-java-updates
    Oct 18, 2012 -"... the ugly stuff. The biggest issue is that Oracle didn't patch all the known problems with Java. As a result, even these latest and greatest editions of Java remain vulnerable to a known critical flaw. Adam Gowdiak is the security researcher who found many of the recent flaws in Java. His last flaw became public knowledge on September 25th. Since the problem was exploitable on Java versions 5, 6 and 7, Gowdiak estimated that it put 1 billion users at risk. A couple security organizations, Heise and Kaspersky, have been in contact with Gowdiak about how well the latest versions of Java patch the flaws he discovered. Gowdiak told Heise Security "that a critical security hole that allows attackers to break out of the Java sandbox continues to exist in Java". He claims that Oracle told him that the just-released package of 30 bug fixes was "already in its final testing phase" when he reported the September 25th flaw. In other words, he was too late to the party. He told Kaspersky the same thing. The flaw that puts a billion users at risk won't be patched until February 19, 2013. This is not to suggest, in any way, ignoring the latest updates to Java. Just recognize that they make you safer (30 bugs were fixed) rather than safe..."

    Last edited by AplusWebMaster; 2012-11-17 at 02:29.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules