Java JRE updates/advisories

[AplusWebMaster]

FYI...

Java exploitation remains high ...
- https://blogs.technet.com/themes/blo...ext&GroupKeys=
13 Oct 2011 - "... Most Frequent Exploits: ... Java exploitation remains high... The top four Java exploits are CVE-2010-0840, CVE-2008-5353, CVE-2010-0094, and CVE-2009-3867..."
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-5353
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3867
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-0094
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-0840

Exploit Detections (charted)
> http://www.microsoft.com/security/po...111012-002.png

[AplusWebMaster]

FYI...

Java exploit code available for recently patched vuln ...
ZDI-12-039: Oracle Java Web Start java-vm-args Command Argument Injection Remote Code Execution
- http://atlas.arbor.net/briefs/index#-2068343742
Severity: High Severity
Feb 24, 2012 - "Exploit code is available for a recently patched Java vulnerability.
Analysis: Oracle patched a series of Java security issues in February and at least one of these issues now has publicly available exploit code, as published in the Metasploit framework. While Metasploit is intended for authorized penetration testing purposes, attackers have no such scruples and will happily leverage freshly published exploit code to develop their own and incorporate the exploit into their malware kits. Such exploits also pay off for the attackers who launch targeted attacks, as many targets do not patch in a timely manner."
Source: http://www.zerodayinitiative.com/advisories/ZDI-12-039/
___

- https://isc.sans.edu/diary.html?storyid=12838
Last Updated: 2012-03-25 17:04:16 UTC - "... In slight modification of Oracle's own words: 'We highly recommend users remove all older versions of Java from your system. Keeping old and unsupported versions of Java on your system presents a serious security risk...' ..."

[AplusWebMaster]

FYI...

- http://www.oracle.com/technetwork/to...ts-086861.html
"... For Oracle Java SE Critical Patch Updates, the next three dates are:
12 June 2012
16 October 2012
19 February 2013 ..."
___

Critical Java hole being exploited on a large scale ...
- http://atlas.arbor.net/briefs/index#-1937641784
Severity: High Severity
Published: Wednesday, March 28, 2012 19:20
Java security vulnerability patched in February is now being used widely by criminals to install malware.
Analysis: Patch! Watch for outdated Java on the network as the presence of old Java User-Agents is often a sign that a system has been exploited and Java is now doing the attackers bidding, typically downloading something evil.
Source: http://h-online.com/-1485681
Update 29-03-12: "... Until an update is released that addresses the vulnerability, Mac OS X users can turn off Java. Users can disable Java via Java Preferences (Applications > Utilities > Java Preferences) by unchecking the installed version. Alternatively, users can disable Java in each of their browsers; in Apple's Safari browser, this can be done by unchecking the "Enable Java" and "Enable JavaScript" under the Security tab in Safari's Preferences..."
* http://www.h-online.com/open/news/it...ew=zoom;zoom=2
___

- http://atlas.arbor.net/briefs/index#-51701177
Elevated Severity
March 30, 2012
Source: http://blog.eset.com/2012/03/30/blac...07-and-carberp

Mac Flashback Exploiting Unpatched Java Vulnerability
- https://www.f-secure.com/weblog/archives/00002341.html
April 2, 2012

[AplusWebMaster]

FYI...

Java v7u5 / v6u33 released
- http://www.oracle.com/technetwork/ja...ads/index.html
June 12, 2012

- http://www.oracle.com/technetwork/to...2-1515912.html
"... contains 14 new security fixes for Oracle Java SE. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."

Risk Matrix
- http://www.oracle.com/technetwork/to...l#AppendixJAVA
7 Update 4 and before, 6 Update 32 and before, 5 Update 35 and before, 1.4.2_37 and before. JavaFX 2.1 and before...

Verify:
>> https://www.java.com/en/download/ins...tect=jre&try=1

Java SE 7u5 JRE
- http://www.oracle.com/technetwork/ja...s-1637588.html
Changes in 1.7.0_5
- http://www.oracle.com/technetwork/ja...s-1653274.html

Java SE 6 Update 33 JRE
- http://www.oracle.com/technetwork/ja...s-1637595.html
Changes in 1.6.0_33
- http://www.oracle.com/technetwork/ja...s-1653258.html
___

URGENT BULLETIN: All E-Business Suite End-Users...
- https://blogs.oracle.com/stevenChan/...re_auto_update
Update: June 14, 2012 - "To ensure that Java Users remain on a secure version, Windows systems that rely on auto-update will be auto-updated from JRE 6 to JRE 7. Until EBS is certified with JRE 7, EBS users should -not- rely on the windows auto-update mechanism for their client machines and should -manually- keep the JRE up to date with the latest versions of 6 on an ongoing basis..."

- http://h-online.com/-1618753
15 June 2012
___

- http://www.securitytracker.com/id/1027153
CVE Reference: CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1720, CVE-2012-1721, CVE-2012-1722, CVE-2012-1723, CVE-2012-1724, CVE-2012-1725, CVE-2012-1726
Jun 12 2012
Impact: Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Version(s): 1.4.2_37 and prior, 5.0 Update 35 and prior, 6 Update 32 and prior, 7 Update 4 and prior...

- https://secunia.com/advisories/49472/
Release Date: 2012-06-13
Criticality level: Highly critical
Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote
Original Advisory: Oracle:
http://www.oracle.com/technetwork/to...e-1515971.html

[AplusWebMaster]

FYI...

Java v7u6 / v6u34 released
- http://www.oracle.com/us/corporate/press/1735645
August 14, 2012

- http://www.oracle.com/technetwork/ja...ads/index.html

Java SE 7u6 JRE
- http://www.oracle.com/technetwork/ja...s-1637588.html
Changes in 1.7.0_6
- http://www.oracle.com/technetwork/ja...s-1729681.html
Bug fixes
- http://www.oracle.com/technetwork/ja...s-1733378.html

Java SE 6 Update 34 JRE
- http://www.oracle.com/technetwork/ja...s-1637595.html
Changes in 1.6.0_34
- http://www.oracle.com/technetwork/ja...s-1729733.html
Bug fixes
- http://www.oracle.com/technetwork/ja...s-1733379.html

Java 6 EOL extended to February 2013
- https://blogs.oracle.com/henrik/entry/java_6_eol_h_h

Verify: https://www.java.com/en/download/ins...tect=jre&try=1
___

- http://h-online.com/-1667714
15 August 2012
___

- http://nakedsecurity.sophos.com/2012...r-apple-users/
Aug 15, 2012 - "... the latest Java version from Oracle is 7u6, also known as 1.7.0_6. If you don't intend to develop Java programs yourself, stick to the JRE. It's much smaller than the JDK, which reduces what's known in trendy-speak as your attack surface area. That's always a good thing. This new Java version includes a longish list of bugfixes*. These include: a few ominous-sounding ones with more than a whiff of vulnerability about them, such as 7166498 - JVM crash in ClassVerifier; the risky-sounding 7155051 - DNS provider may return incorrect results; and the intriguingly sticky-sounding 7178177 - Debug spewage when applets start up. With that in mind, I suggest you update as soon as practicable."
* http://www.oracle.com/technetwork/ja...s-1733378.html

[AplusWebMaster]

FYI...

New critical Java flaw claimed
- http://www.theregister.co.uk/2012/09...new_java_flaw/
26 Sep 2012- "Oracle's Java is making a play to wrest back the title of world's leakiest code from Internet Explorer, after Polish researcher Adam Gowdiak claimed another critical flaw exists in the product. The -new- claim is stated on the Full Disclosure mailing list where Gowdiak writes that the newly-found flaw impacts “all latest versions of Oracle Java SE software” and that it allows “a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7.” That's apparently worse than previous exploits, as they only hit Java 7..."
- http://arstechnica.com/security/2012...urity-sandbox/
Sep 25, 2012

Consider disabling Java* in your browser until the next update**.

* https://krebsonsecurity.com/how-to-u...m-the-browser/

** https://isc.sans.edu/diary.html?storyid=14017

- http://www.oracle.com/technetwork/to...ts-086861.html
"For Oracle Java SE Critical Patch Updates, the next three dates are:
16 October 2012
19 February 2013
18 June 2013 ..."
___

Java v7u7 / v6u35 released
* http://www.oracle.com/technetwork/to...e-1835710.html
August 30, 2012

Risk Matrix
- http://www.oracle.com/technetwork/to...l#AppendixJAVA
CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, CVE-2012-0547

- http://www.oracle.com/technetwork/ja...ads/index.html

Java SE 7u7 JRE
- http://www.oracle.com/technetwork/ja...s-1836441.html
Changes in 1.7.0_7
- http://www.oracle.com/technetwork/ja...s-1835816.html
"... Bug fixes: This release contains a security-in-depth fix. For more information, see Oracle Security Alert for CVE-2012-4681*..."
___

Java SE 6 Update 35 JRE
- http://www.oracle.com/technetwork/ja...s-1836473.html
Changes in 1.6.0_35
- http://www.oracle.com/technetwork/ja...s-1835788.html
"... Bug fixes: This release contains a security-in-depth fix. For more information, see Oracle Security Alert for CVE-2012-4681*..."
___

- http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-4681 - 10.0 (HIGH)
Last revised: 09/01/2012 - "... as exploited in the wild in August 2012..."