New Java 0-day exploit - 2013.01.16
FYI...
New Java 0-day exploit - $5,000 per Buyer
- https://krebsonsecurity.com/2013/01/...000-per-buyer/
Jan 16, 2013 - "Less than 24 hours after Oracle patched a dangerous security hole in its Java software that was being used to seize control over Windows PCs, miscreants in the Underweb were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java... The hacker forum admin’s message... promised weaponized and source code versions of the exploit. This seller also said his Java 0day — in the latest version of Java (Java 7 Update 11) — was not yet part of any exploit kits, including the Cool Exploit Kit... this same thing happened not long after Oracle released a Java update in October; a few weeks later, a Java 0day was being sold to a few private users on this same Underweb forum..."
- http://www.nbcnews.com/technology/te...main-1B7956548
"... Some security consultants are advising businesses to remove Java from the browsers of all employees except for those who absolutely need to use the technology for critical business purposes. HD Moore... said it could take two years for Oracle to fix all the security bugs that have currently been identified in the version of Java that is used for surfing the Web..."
:fear::fear:
Current Java new attack ...
FYI...
Current Java new attack...
- http://h-online.com/-1814716
01 March 2013 - "... FireEye reports* that cyber criminals are exploiting previously unknown vulnerabilities in the -current- Java versions to deploy malware... The hole is found -both- in Java version 7 update 15 and in version 6 update 41...
To protect themselves, users can completely uninstall Java or at least disable it in their browser..."
* http://blog.fireeye.com/research/201...ero-day-2.html
- https://www.virustotal.com/en/file/c...94b8/analysis/
File name: Inst.exe
Detection ratio: 24/46
Analysis date: 2013-03-01
New Java 0-Day Attack Echoes Bit9 Breach
- https://krebsonsecurity.com/2013/03/...s-bit9-breach/
Mar 1, 2013 - 110.173.55.187
- https://secunia.com/advisories/52451/
Release Date: 2013-03-02
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
CVE Reference: https://cve.mitre.org/cgi-bin/cvenam...=CVE-2013-1493
... vulnerability is reported in version 7 update 15 and version 6 update 41. Other versions may also be affected.
Solution: No official solution is currently available.
Provided and/or discovered by: Reported as a 0-day.
:mad:
Oracle Java Pre-Release Announcement - April 2013
FYI...
Oracle Java SE Critical Patch Update Pre-Release Announcement - April 2013
- http://www.oracle.com/technetwork/to...3-1928497.html
Apr 15, 2013 - "This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Java SE Critical Patch Update for April 2013, which will be released on Tuesday, April 16, 2013... this Critical Patch Update contains -42- new security vulnerability fixes..."
:fear:
Java JRE 7u21, 6u45 released
FYI...
- http://www.symantec.com/connect/blog...-2423-coverage
Updated: 26 Apr 2013 - "... this vulnerability is now seen as a high priority... Please be aware of -malware- that masquerades as software updates and patches - only download the patch from the official website."
Current version always shown here:
- https://www.java.com/en/download/manual.jsp
___
Java JRE 7u21
- http://www.oracle.com/technetwork/ja...s-1880261.html
April 16, 2013
Release Notes
- http://www.oracle.com/technetwork/ja...s-1932873.html
- https://blogs.oracle.com/security/en..._patch_update1
Apr 16, 2013
Oracle Java SE Critical Patch Update Advisory - April 2013
- http://www.oracle.com/technetwork/to...l#AppendixJAVA
April 16, 2013 - "This Critical Patch Update contains 42 new security fixes for Oracle Java SE. 39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."
Recommended Version 7 Update 21
- https://www.java.com/en/download/manual.jsp
- https://krebsonsecurity.com/2013/04/...ecurity-holes/
April 16, 2013 - "... contains 42 new security fixes for Oracle Java SE. A majority of these flaws are browse-to–a-hacked-site-and-get-infected vulnerabilities..."
Java JRE 6 Update 45
- http://www.oracle.com/technetwork/ja...s-1902815.html
___
Java 7 Update 21 is available - Watch for Behaviour Changes
- https://isc.sans.edu/diary.html?storyid=15620
2013-04-16 - "... Oracle has significantly changed how Java runs with this version. Java now requires code signing, and will pop up brightly coloured dialogue boxes if your code is not signed. They now alert on unsigned, signed-but-expired and self-signed certificates. We'll even need to click "OK" when we try to download and execute signed and trusted Java... graphics you can expect to see once you update are:
> https://isc.sans.edu/diaryimages/ima...pired_cert.jpg
> https://isc.sans.edu/diaryimages/ima...igned_cert.jpg
Full details on the new run policy can be found here ==>
- https://www.java.com/en/download/hel...itydialogs.xml
And more information can be found here ==>
- http://www.oracle.com/technetwork/ja...g-1915323.html "
Dangerous defaults let certificates stay unchecked.
- http://www.h-online.com/security/new...ew=zoom;zoom=2
17 April 2013
___
- http://www.securitytracker.com/id/1028434
CVE Reference: CVE-2013-0401, CVE-2013-0402, CVE-2013-1488, CVE-2013-1491, CVE-2013-1518, CVE-2013-1537, CVE-2013-1540, CVE-2013-1557, CVE-2013-1558, CVE-2013-1561, CVE-2013-1563, CVE-2013-1564, CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, CVE-2013-2394, CVE-2013-2414, CVE-2013-2415, CVE-2013-2416, CVE-2013-2417, CVE-2013-2418, CVE-2013-2419, CVE-2013-2420, CVE-2013-2421, CVE-2013-2422, CVE-2013-2423, CVE-2013-2424, CVE-2013-2425, CVE-2013-2426, CVE-2013-2427, CVE-2013-2428, CVE-2013-2429, CVE-2013-2430, CVE-2013-2431, CVE-2013-2432, CVE-2013-2433, CVE-2013-2434, CVE-2013-2435, CVE-2013-2436, CVE-2013-2438, CVE-2013-2439, CVE-2013-2440
Apr 16 2013
Impact: Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 5.0 Update 41, 6 Update 43, 7 Update 17; and prior versions...
Solution: The vendor has issued a fix (6 Update 45, 7 Update 21)...
___
- http://www.f-secure.com/weblog/archives/00002544.html
April 23, 2013 - "A few days after Oracle released a critical patch, CVE-2013-2423* is found to (have) already been exploited. Upon checking the history, the exploitation seems to have begun on April 21st and is still actively happening... the Metasploit module was published on the 20th... the exploit was seen in the wild the day after..."
* https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-2423
:fear: