Page 1 of 5 12345 LastLast
Results 1 to 10 of 47

Thread: Java JRE updates/advisories

  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Java JRE updates/advisories

    FYI...

    Java exploitation remains high ...
    - https://blogs.technet.com/themes/blo...ext&GroupKeys=
    13 Oct 2011 - "... Most Frequent Exploits: ... Java exploitation remains high... The top four Java exploits are CVE-2010-0840, CVE-2008-5353, CVE-2010-0094, and CVE-2009-3867..."
    - http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-5353
    - http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-3867
    - http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-0094
    - http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-0840

    Exploit Detections (charted)
    > http://www.microsoft.com/security/po...111012-002.png

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #2
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Java exploit code available for recently patched vuln ...

    FYI...

    Java exploit code available for recently patched vuln ...
    ZDI-12-039: Oracle Java Web Start java-vm-args Command Argument Injection Remote Code Execution
    - http://atlas.arbor.net/briefs/index#-2068343742
    Severity: High Severity
    Feb 24, 2012 - "Exploit code is available for a recently patched Java vulnerability.
    Analysis: Oracle patched a series of Java security issues in February and at least one of these issues now has publicly available exploit code, as published in the Metasploit framework. While Metasploit is intended for authorized penetration testing purposes, attackers have no such scruples and will happily leverage freshly published exploit code to develop their own and incorporate the exploit into their malware kits. Such exploits also pay off for the attackers who launch targeted attacks, as many targets do not patch in a timely manner."
    Source: http://www.zerodayinitiative.com/advisories/ZDI-12-039/
    ___

    - https://isc.sans.edu/diary.html?storyid=12838
    Last Updated: 2012-03-25 17:04:16 UTC - "... In slight modification of Oracle's own words: 'We highly recommend users remove all older versions of Java from your system. Keeping old and unsupported versions of Java on your system presents a serious security risk...' ..."

    Last edited by AplusWebMaster; 2012-03-27 at 23:45.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #3
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Critical Java exploit - large scale ...

    FYI...

    - http://www.oracle.com/technetwork/to...ts-086861.html
    "... For Oracle Java SE Critical Patch Updates, the next three dates are:
    12 June 2012
    16 October 2012
    19 February 2013 ..."
    ___

    Critical Java hole being exploited on a large scale ...
    - http://atlas.arbor.net/briefs/index#-1937641784
    Severity: High Severity
    Published: Wednesday, March 28, 2012 19:20
    Java security vulnerability patched in February is now being used widely by criminals to install malware.
    Analysis: Patch! Watch for outdated Java on the network as the presence of old Java User-Agents is often a sign that a system has been exploited and Java is now doing the attackers bidding, typically downloading something evil.
    Source: http://h-online.com/-1485681
    Update 29-03-12: "... Until an update is released that addresses the vulnerability, Mac OS X users can turn off Java. Users can disable Java via Java Preferences (Applications > Utilities > Java Preferences) by unchecking the installed version. Alternatively, users can disable Java in each of their browsers; in Apple's Safari browser, this can be done by unchecking the "Enable Java" and "Enable JavaScript" under the Security tab in Safari's Preferences..."
    * http://www.h-online.com/open/news/it...ew=zoom;zoom=2
    ___

    - http://atlas.arbor.net/briefs/index#-51701177
    Elevated Severity
    March 30, 2012
    Source: http://blog.eset.com/2012/03/30/blac...07-and-carberp

    Mac Flashback Exploiting Unpatched Java Vulnerability
    - https://www.f-secure.com/weblog/archives/00002341.html
    April 2, 2012

    Last edited by AplusWebMaster; 2012-04-23 at 17:17.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #4
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Java v7u5 / v6u33 released

    FYI...

    Java v7u5 / v6u33 released
    - http://www.oracle.com/technetwork/ja...ads/index.html
    June 12, 2012

    - http://www.oracle.com/technetwork/to...2-1515912.html
    "... contains 14 new security fixes for Oracle Java SE. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."

    Risk Matrix
    - http://www.oracle.com/technetwork/to...l#AppendixJAVA
    7 Update 4 and before, 6 Update 32 and before, 5 Update 35 and before, 1.4.2_37 and before. JavaFX 2.1 and before...

    Verify:
    >> https://www.java.com/en/download/ins...tect=jre&try=1

    Java SE 7u5 JRE
    - http://www.oracle.com/technetwork/ja...s-1637588.html
    Changes in 1.7.0_5
    - http://www.oracle.com/technetwork/ja...s-1653274.html

    Java SE 6 Update 33 JRE
    - http://www.oracle.com/technetwork/ja...s-1637595.html
    Changes in 1.6.0_33
    - http://www.oracle.com/technetwork/ja...s-1653258.html
    ___

    URGENT BULLETIN: All E-Business Suite End-Users...
    - https://blogs.oracle.com/stevenChan/...re_auto_update
    Update: June 14, 2012 - "To ensure that Java Users remain on a secure version, Windows systems that rely on auto-update will be auto-updated from JRE 6 to JRE 7. Until EBS is certified with JRE 7, EBS users should -not- rely on the windows auto-update mechanism for their client machines and should -manually- keep the JRE up to date with the latest versions of 6 on an ongoing basis..."

    - http://h-online.com/-1618753
    15 June 2012
    ___

    - http://www.securitytracker.com/id/1027153
    CVE Reference: CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1720, CVE-2012-1721, CVE-2012-1722, CVE-2012-1723, CVE-2012-1724, CVE-2012-1725, CVE-2012-1726
    Jun 12 2012
    Impact: Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
    Version(s): 1.4.2_37 and prior, 5.0 Update 35 and prior, 6 Update 32 and prior, 7 Update 4 and prior...

    - https://secunia.com/advisories/49472/
    Release Date: 2012-06-13
    Criticality level: Highly critical
    Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, DoS, System access
    Where: From remote
    Original Advisory: Oracle:
    http://www.oracle.com/technetwork/to...e-1515971.html

    Last edited by AplusWebMaster; 2012-06-15 at 17:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #5
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Java v7u6/v6u34 released

    FYI...

    Java v7u6 / v6u34 released
    - http://www.oracle.com/us/corporate/press/1735645
    August 14, 2012

    - http://www.oracle.com/technetwork/ja...ads/index.html

    Java SE 7u6 JRE
    - http://www.oracle.com/technetwork/ja...s-1637588.html
    Changes in 1.7.0_6
    - http://www.oracle.com/technetwork/ja...s-1729681.html
    Bug fixes
    - http://www.oracle.com/technetwork/ja...s-1733378.html

    Java SE 6 Update 34 JRE
    - http://www.oracle.com/technetwork/ja...s-1637595.html
    Changes in 1.6.0_34
    - http://www.oracle.com/technetwork/ja...s-1729733.html
    Bug fixes
    - http://www.oracle.com/technetwork/ja...s-1733379.html

    Java 6 EOL extended to February 2013
    - https://blogs.oracle.com/henrik/entry/java_6_eol_h_h

    Verify: https://www.java.com/en/download/ins...tect=jre&try=1
    ___

    - http://h-online.com/-1667714
    15 August 2012
    ___

    - http://nakedsecurity.sophos.com/2012...r-apple-users/
    Aug 15, 2012 - "... the latest Java version from Oracle is 7u6, also known as 1.7.0_6. If you don't intend to develop Java programs yourself, stick to the JRE. It's much smaller than the JDK, which reduces what's known in trendy-speak as your attack surface area. That's always a good thing. This new Java version includes a longish list of bugfixes*. These include: a few ominous-sounding ones with more than a whiff of vulnerability about them, such as 7166498 - JVM crash in ClassVerifier; the risky-sounding 7155051 - DNS provider may return incorrect results; and the intriguingly sticky-sounding 7178177 - Debug spewage when applets start up. With that in mind, I suggest you update as soon as practicable."
    * http://www.oracle.com/technetwork/ja...s-1733378.html

    Last edited by AplusWebMaster; 2012-08-19 at 18:10.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #6
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Java v7u7 / v6u35 released

    FYI...

    New critical Java flaw claimed
    - http://www.theregister.co.uk/2012/09...new_java_flaw/
    26 Sep 2012- "Oracle's Java is making a play to wrest back the title of world's leakiest code from Internet Explorer, after Polish researcher Adam Gowdiak claimed another critical flaw exists in the product. The -new- claim is stated on the Full Disclosure mailing list where Gowdiak writes that the newly-found flaw impacts “all latest versions of Oracle Java SE software” and that it allows “a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7.” That's apparently worse than previous exploits, as they only hit Java 7..."
    - http://arstechnica.com/security/2012...urity-sandbox/
    Sep 25, 2012

    Consider disabling Java* in your browser until the next update**.

    * https://krebsonsecurity.com/how-to-u...m-the-browser/

    ** https://isc.sans.edu/diary.html?storyid=14017

    - http://www.oracle.com/technetwork/to...ts-086861.html
    "For Oracle Java SE Critical Patch Updates, the next three dates are:
    16 October 2012
    19 February 2013
    18 June 2013 ..."
    ___

    Java v7u7 / v6u35 released
    * http://www.oracle.com/technetwork/to...e-1835710.html
    August 30, 2012

    Risk Matrix
    - http://www.oracle.com/technetwork/to...l#AppendixJAVA
    CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, CVE-2012-0547

    - http://www.oracle.com/technetwork/ja...ads/index.html

    Java SE 7u7 JRE
    - http://www.oracle.com/technetwork/ja...s-1836441.html
    Changes in 1.7.0_7
    - http://www.oracle.com/technetwork/ja...s-1835816.html
    "... Bug fixes: This release contains a security-in-depth fix. For more information, see Oracle Security Alert for CVE-2012-4681*..."
    ___

    Java SE 6 Update 35 JRE
    - http://www.oracle.com/technetwork/ja...s-1836473.html
    Changes in 1.6.0_35
    - http://www.oracle.com/technetwork/ja...s-1835788.html
    "... Bug fixes: This release contains a security-in-depth fix. For more information, see Oracle Security Alert for CVE-2012-4681*..."
    ___

    - http://web.nvd.nist.gov/view/vuln/de...=CVE-2012-4681 - 10.0 (HIGH)
    Last revised: 09/01/2012 - "... as exploited in the wild in August 2012..."

    Last edited by AplusWebMaster; 2012-09-26 at 16:44.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #7
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Java/Oracle pre-release announcement - October 2012

    FYI...

    - http://www.oracle.com/technetwork/to...2-1515924.html
    "This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Java SE Critical Patch Update for October 2012, which will be released on Tuesday, October 16, 2012... This Critical Patch Update contains 30 new security fixes for Oracle Java SE. 29 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #8
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Java JRE 7u9 / 6u37 released

    FYI...

    Java SE Critical Patch Update Advisory - October 2012
    - http://www.oracle.com/technetwork/to...2-1515924.html
    Oct 16, 2012

    Java JRE 7u9 released
    - http://www.oracle.com/technetwork/ja...s-1859586.html
    Oct 16, 2012

    Release Notes
    - http://www.oracle.com/technetwork/ja...s-1863279.html

    Java JRE 6 Update 37
    - http://www.oracle.com/technetwork/ja...s-1859589.html
    Oct 16, 2012

    Release Notes
    - http://www.oracle.com/technetwork/ja...s-1863283.html

    Java - October 2012 Risk Matrices
    - http://www.oracle.com/technetwork/to...l#AppendixJAVA
    "This Critical Patch Update contains 30 new security fixes for Oracle Java SE. 29 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."
    ___

    - http://atlas.arbor.net/briefs/index#1321617866
    Severity: High Severity
    October 17, 2012
    Oracle releases Java security patches that should be applied as soon as possible.
    Analysis: Given the damage that has been caused by malware infections and system intrusions caused by vulnerable versions of Java being exploited it is likely that the security holes patched herein will also be used by cyber-criminals, nation-state attackers and others in their quest to compromise systems and pursue a malicious agenda. Limiting the scope of browser-based Java to one specific browser that's only used on trusted applications and also wrapping Java on any Microsoft platform with a technology such as EMET to reduce the risk of future exploitation can help provide additional protection for this widely attacked software.

    - http://www.securitytracker.com/id/1027672
    CVE Reference: CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4416, CVE-2012-5067, CVE-2012-5068, CVE-2012-5069, CVE-2012-5070, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5074, CVE-2012-5075, CVE-2012-5076, CVE-2012-5077, CVE-2012-5078, CVE-2012-5079, CVE-2012-5080, CVE-2012-5081, CVE-2012-5082, CVE-2012-5083, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5089
    Oct 17 2012
    Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
    Version(s): 1.4.2_38 and prior, 5.0 Update 36 and prior, 6 Update 35, 7 Update 7 and prior
    Impact: A remote user can take full control of the target system.
    A remote user can access and modify data on the target system.
    A remote user can cause partial denial of service conditions on the target system.
    Solution: The vendor has issued a fix, described in the October 2012 Critical Patch Update advisory.
    The vendor's advisory is available at:
    http://www.oracle.com/technetwork/to...2-1515924.html

    - https://secunia.com/advisories/50949/
    Release Date: 2012-10-17
    Criticality level: Highly critical
    Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
    Where: From remote
    ... vulnerabilities are reported in the following products:
    * JDK and JRE 7 Update 7 and earlier.
    * JDK and JRE 6 Update 35 and earlier.
    * JDK and JRE 5.0 Update 36 and earlier.
    * SDK and JRE 1.4.2_38 and earlier.
    * JavaFX 2.2 and earlier.
    Solution: Apply updates.
    Original Advisory: Oracle:
    http://www.oracle.com/technetwork/to...2-1515924.html
    ___

    - http://javatester.org/
    Oct 17, 2012 - "... not all known bugs were fixed..."

    - http://blogs.computerworld.com/appli...t-java-updates
    Oct 18, 2012 -"... the ugly stuff. The biggest issue is that Oracle didn't patch all the known problems with Java. As a result, even these latest and greatest editions of Java remain vulnerable to a known critical flaw. Adam Gowdiak is the security researcher who found many of the recent flaws in Java. His last flaw became public knowledge on September 25th. Since the problem was exploitable on Java versions 5, 6 and 7, Gowdiak estimated that it put 1 billion users at risk. A couple security organizations, Heise and Kaspersky, have been in contact with Gowdiak about how well the latest versions of Java patch the flaws he discovered. Gowdiak told Heise Security "that a critical security hole that allows attackers to break out of the Java sandbox continues to exist in Java". He claims that Oracle told him that the just-released package of 30 bug fixes was "already in its final testing phase" when he reported the September 25th flaw. In other words, he was too late to the party. He told Kaspersky the same thing. The flaw that puts a billion users at risk won't be patched until February 19, 2013. This is not to suggest, in any way, ignoring the latest updates to Java. Just recognize that they make you safer (30 bugs were fixed) rather than safe..."

    Last edited by AplusWebMaster; 2012-11-17 at 03:29.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #9
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Java 7u10/6u38 released

    FYI...

    Java 7u10/6u38 released
    - http://www.oracle.com/technetwork/ja...ads/index.html
    Dec 11, 2012

    7u10 Downloads:
    - http://www.oracle.com/technetwork/ja...s-1880261.html

    Bug Fixes - JDK 7u10
    > http://www.oracle.com/technetwork/ja...s-1881008.html

    - http://www.oracle.com/technetwork/ja...s-1880995.html
    ___

    - http://h-online.com/-1770629
    17 Dec 2012

    > http://docs.oracle.com/javase/7/docs...-security.html

    > http://docs.oracle.com/javase/7/docs.../jweb/jcp.html

    - https://krebsonsecurity.com/2012/12/...shockwave-bug/
    Dec 19, 2012 - "... There are bug fixes with these releases, but no official security updates. However, the Java 7 update does include some new functionality designed to make it easier to disable Java in the browser..."
    ___

    6 Update 38 Downloads:
    - http://www.oracle.com/technetwork/ja...s-1877409.html

    Bug Fixes - JDK 6u38
    - http://www.oracle.com/technetwork/ja...s-1880999.html

    - http://www.oracle.com/technetwork/ja...s-1880997.html

    - http://www.oracle.com/technetwork/ja...ol-135779.html
    "... After February 2013, Oracle will no longer post updates of Java SE 6 to its public download sites. Existing Java SE 6 downloads already posted as of February 2013 will remain accessible in the Java Archive on Oracle Technology Network. Developers and end-users are encouraged to update to more recent Java SE versions..."

    Last edited by AplusWebMaster; 2012-12-20 at 05:44.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #10
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Java 0-Day exploit ...

    FYI...

    Java 0-Day exploit ...
    - https://krebsonsecurity.com/2013/01/...-in-crimeware/
    Jan 10, 2013 - "The hackers who maintain Blackhole and Nuclear Pack – competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they’ve added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java... According to both crimeware authors, the vulnerability exists in all versions of Java 7, including the latest — Java 7 Update 10... if you have Java installed, it would be a very good idea to unplug Java from your browser, or uninstall this program entirely if you don’t need it...
    Update: Alienvault Labs* say they have reproduced and verified the claims of a new Java zero-day that exploits a vulnerability in fully-patched versions of Java 7."
    * http://labs.alienvault.com/labs/inde...-java-zeroday/
    Jan 10, 2013 - "... It seems both Blackhole and Nuclear Pack exploit kits are using this vulnerability in the wild..."
    ___

    - http://www.kb.cert.org/vuls/id/625617
    Last revised: 14 Jan 2013
    Disabling Java in the Browser:
    - http://www.java.com/en/download/help...le_browser.xml

    - https://www.us-cert.gov/cas/techalerts/TA13-010A.html
    Last revised: 14 Jan 2013

    > Uncheck this setting: https://www.java.com/en/img/download/enable_java.jpg
    ___

    - https://secunia.com/advisories/51820/
    Last Update: 2013-01-14
    Criticality level: Extremely critical
    Impact: System access
    Where: From remote
    Solution: Update to version 7 update 11.

    - https://www.securelist.com/en/blog/2...t_Distribution
    "... There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem*... Metasploit developers have added an exploit module targeting this vulnerability CVE-2013-0422..."
    * https://www.securelist.com/en/images.../208194077.PNG

    - http://www.securitytracker.com/id/1027972
    CVE Reference: https://web.nvd.nist.gov/view/vuln/d...=CVE-2013-0422 - 10.0 (HIGH)
    Updated: Jan 13 2013
    Impact: Execution of arbitrary code via network, User access via network
    Exploit Included: Yes
    Version(s): 1.7 u10 and prior 1.7 versions
    Solution: The vendor has issued a fix (7 Update 11)...

    - http://blog.trendmicro.com/trendlabs...ng-ransomware/
    Jan 10, 2013 - "... Currently, this exploit is being used by toolkits like the Blackhole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK). CEK is the creation of the same author responsible for Blackhole Exploit Kit. It appears to be a high-end version of the more accessible BHEK. Zero-day exploits are first incorporated into CEK and only added into BHEK once they have been disclosed. It has been reported that CEK was being used to distribute ransomware, particularly Reveton variants..."

    - https://www.symantec.com/security_re...atconlearn.jsp

    Last edited by AplusWebMaster; 2013-01-15 at 00:16.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •