Java 6 0-Day exploit-in-the-wild
FYI...
Java 6 0-Day exploit-in-the-wild
- https://community.qualys.com/blogs/l...it-in-the-wild
Aug 26, 2013 - "CVE-2013-2463 is a vulnerability in the Java 2D subcomponent, that was addressed by Oracle in the June 2013 Critical Patch Update for Java 7. Java 6 (including the latest u45) has the same vulnerability, as Oracle acknowledges in the CPU, but since Java 6 has become unsupported as of its End-of-Life in April 2013, there is no patch for the vulnerability... this time, things have become a bit more serious. As Matthew Schwartz reports in Informationweek*, F-Secure has seen exploits for this vulnerability in Java 6 in the wild. Further they have seen it included in the Neutrino exploit kit, which guarantees that it will find widespread adoption. In addition, we still see very high rates of Java 6 installed (a bit over 50%), which means many organizations are vulnerable..."
* https://www.informationweek.com/secu...expl/240160443
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-2463 - 10.0 (HIGH)
___
- https://community.qualys.com/blogs/l...it-in-the-wild
Comments: "... OpenJDK 6 remains supported and actively patched for security flaws. An OpenJDK 6 patch for CVE-2013-2463 is available":
- http://mail.openjdk.java.net/piperma...ly/023941.html
___
- http://blog.trendmicro.com/trendlabs...oits-going-up/
Aug 28, 2013 - "... We urge users to carefully evaluate their usage of Java is necessary and ensure that copies of Java that are used are updated, to reduce exposure to present and future Java flaws."
___
- http://krebsonsecurity.com/2013/09/r...ecurity-fails/
4 Sep 2013
* http://krebsonsecurity.com/wp-conten...javaprompt.png
- https://www.cert.org/blogs/certcc/20...at_applet.html
- http://krebsonsecurity.com/how-to-un...m-the-browser/
:fear::fear:
Java JRE 7u40 released ...
Java JRE 7u51 released ...
FYI...
Java JRE 7u51 released
- http://www.oracle.com/technetwork/ja...s-1880261.html
Jan 14, 2014
Java SE Risk Matrix
- http://www.oracle.com/technetwork/to...l#AppendixJAVA
- http://www.oracle.com/technetwork/ja...ads/index.html
"This release includes important security fixes. Oracle strongly recommends that all Java SE 7 users upgrade to this release..."
- https://blogs.oracle.com/java/entry/java_se_7_update_51
"... important security fixes. Oracle strongly recommends that all Java SE 7 users upgrade to this release..."
Release Notes
- http://www.oracle.com/technetwork/ja...s-2085002.html
Recommended Version 7 Update 51
- https://www.java.com/en/download/manual.jsp
___
- http://www.securitytracker.com/id/1029608
CVE Reference: CVE-2013-5870, CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5893, CVE-2013-5895, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5902, CVE-2013-5904, CVE-2013-5905, CVE-2013-5906, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0382, CVE-2014-0385, CVE-2014-0387, CVE-2014-0403, CVE-2014-0408, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0418, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428
Jan 14 2014
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 7 Update 51...
- https://secunia.com/advisories/56485/
Release Date: 2014-01-15
Criticality: Highly Critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access...
___
Java Primary Cause of 91% of Attacks
- http://www.eweek.com/security/java-p...cks-cisco.html
2014-01-16 - "... no one technology was more abused or more culpable that Java, according to Cisco's latest annual security report*... What that means is that the final payload in observed attacks was a Java exploit..."
* http://www.cisco.com/web/offers/lp/2...ort/index.html
"... 91% of web exploits target Java..."
:fear::fear: