Java JRE updates/advisories

AplusWebMaster · Oct 14, 2011

FYI...

Java exploitation remains high ...
- https://blogs.technet.com/themes/bl...rability-exploitation-into-context&GroupKeys=
13 Oct 2011 - "... Most Frequent Exploits: ... Java exploitation remains high... The top four Java exploits are CVE-2010-0840, CVE-2008-5353, CVE-2010-0094, and CVE-2009-3867..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5353
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3867
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0094
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0840

Exploit Detections (charted)
> http://www.microsoft.com/security/portal/blog-images/BID043-111012-002.png

:fear::fear:

AplusWebMaster · Feb 26, 2012

Java exploit code available for recently patched vuln ...

FYI...

Java exploit code available for recently patched vuln ...
ZDI-12-039: Oracle Java Web Start java-vm-args Command Argument Injection Remote Code Execution
- http://atlas.arbor.net/briefs/index#-2068343742
Severity: High Severity
Feb 24, 2012 - "Exploit code is available for a recently patched Java vulnerability.
Analysis: Oracle patched a series of Java security issues in February and at least one of these issues now has publicly available exploit code, as published in the Metasploit framework. While Metasploit is intended for authorized penetration testing purposes, attackers have no such scruples and will happily leverage freshly published exploit code to develop their own and incorporate the exploit into their malware kits. Such exploits also pay off for the attackers who launch targeted attacks, as many targets do not patch in a timely manner."
Source: http://www.zerodayinitiative.com/advisories/ZDI-12-039/
___

- https://isc.sans.edu/diary.html?storyid=12838
Last Updated: 2012-03-25 17:04:16 UTC - "... In slight modification of Oracle's own words: '~~We highly recommend users remove all older versions of Java from your system. Keeping old and unsupported versions of~~ Java on your system presents a serious security risk...' ..."

:fear::fear:

AplusWebMaster · Apr 1, 2012

Critical Java exploit - large scale ...

FYI...

- http://www.oracle.com/technetwork/topics/security/alerts-086861.html
"... For Oracle Java SE Critical Patch Updates, the next three dates are:
12 June 2012
16 October 2012
19 February 2013 ..."
___

Critical Java hole being exploited on a large scale ...
- http://atlas.arbor.net/briefs/index#-1937641784
Severity: High Severity
Published: Wednesday, March 28, 2012 19:20
Java security vulnerability patched in February is now being used widely by criminals to install malware.
Analysis: Patch! Watch for outdated Java on the network as the presence of old Java User-Agents is often a sign that a system has been exploited and Java is now doing the attackers bidding, typically downloading something evil.
Source: http://h-online.com/-1485681
Update 29-03-12: "... Until an update is released that addresses the vulnerability, Mac OS X users can turn off Java. Users can disable Java via Java Preferences (Applications > Utilities > Java Preferences) by unchecking the installed version. Alternatively, users can disable Java in each of their browsers; in Apple's Safari browser, this can be done by unchecking the "Enable Java" and "Enable JavaScript" under the Security tab in Safari's Preferences..."
* http://www.h-online.com/open/news/item/Critical-Java-hole-being-exploited-on-a-large-scale-Update-1485681.html?view=zoom;zoom=2
___

- http://atlas.arbor.net/briefs/index#-51701177
Elevated Severity
March 30, 2012
Source: http://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp

Mac Flashback Exploiting Unpatched Java Vulnerability
- https://www.f-secure.com/weblog/archives/00002341.html
April 2, 2012

:fear:

AplusWebMaster · Jun 12, 2012

Java v7u5 / v6u33 released

FYI...

Java v7u5 / v6u33 released
- http://www.oracle.com/technetwork/java/javase/downloads/index.html
June 12, 2012

- http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html
"... contains 14 new security fixes for Oracle Java SE. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."

Risk Matrix
- http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html#AppendixJAVA
7 Update 4 and before, 6 Update 32 and before, 5 Update 35 and before, 1.4.2_37 and before. JavaFX 2.1 and before...

Verify:
>> https://www.java.com/en/download/installed.jsp?detect=jre&try=1

Java SE 7u5 JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1637588.html
Changes in 1.7.0_5
- http://www.oracle.com/technetwork/java/javase/7u5-relnotes-1653274.html

Java SE 6 Update 33 JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre6-downloads-1637595.html
Changes in 1.6.0_33
- http://www.oracle.com/technetwork/java/javase/6u33-relnotes-1653258.html
___

URGENT BULLETIN: All E-Business Suite End-Users...
- https://blogs.oracle.com/stevenChan/entry/bulletin_disable_jre_auto_update
Update: June 14, 2012 - "To ensure that Java Users remain on a secure version, Windows systems that rely on auto-update will be auto-updated from JRE 6 to JRE 7. Until EBS is certified with JRE 7, EBS users should -not- rely on the windows auto-update mechanism for their client machines and should -manually- keep the JRE up to date with the latest versions of 6 on an ongoing basis..."

- http://h-online.com/-1618753
15 June 2012
___

- http://www.securitytracker.com/id/1027153
CVE Reference: CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1720, CVE-2012-1721, CVE-2012-1722, CVE-2012-1723, CVE-2012-1724, CVE-2012-1725, CVE-2012-1726
Jun 12 2012
Impact: Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Version(s): 1.4.2_37 and prior, 5.0 Update 35 and prior, 6 Update 32 and prior, 7 Update 4 and prior...

- https://secunia.com/advisories/49472/
Release Date: 2012-06-13
Criticality level: Highly critical
Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote
Original Advisory: Oracle:
http://www.oracle.com/technetwork/topics/security/javacpujun2012verbose-1515971.html

:fear::fear:

AplusWebMaster · Aug 15, 2012

Java v7u6/v6u34 released

FYI...

Java v7u6 / v6u34 released
- http://www.oracle.com/us/corporate/press/1735645
August 14, 2012

- http://www.oracle.com/technetwork/java/javase/downloads/index.html

Java SE 7u6 JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1637588.html
Changes in 1.7.0_6
- http://www.oracle.com/technetwork/java/javase/7u6-relnotes-1729681.html
Bug fixes
- http://www.oracle.com/technetwork/java/javase/2col/7u6-bugfixes-1733378.html

Java SE 6 Update 34 JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre6-downloads-1637595.html
Changes in 1.6.0_34
- http://www.oracle.com/technetwork/java/javase/6u34-relnotes-1729733.html
Bug fixes
- http://www.oracle.com/technetwork/java/javase/2col/6u34-bugfixes-1733379.html

Java 6 EOL extended to February 2013
- https://blogs.oracle.com/henrik/entry/java_6_eol_h_h

Verify: https://www.java.com/en/download/installed.jsp?detect=jre&try=1
___

- http://h-online.com/-1667714
15 August 2012
___

- http://nakedsecurity.sophos.com/201...aims-full-and-timely-updates-for-apple-users/
Aug 15, 2012 - "... the latest Java version from Oracle is 7u6, also known as 1.7.0_6. If you don't intend to develop Java programs yourself, stick to the JRE. It's much smaller than the JDK, which reduces what's known in trendy-speak as your attack surface area. That's always a good thing. This new Java version includes a longish list of bugfixes*. These include: a few ominous-sounding ones with more than a whiff of vulnerability about them, such as 7166498 - JVM crash in ClassVerifier; the risky-sounding 7155051 - DNS provider may return incorrect results; and the intriguingly sticky-sounding 7178177 - Debug spewage when applets start up. With that in mind, I suggest you update as soon as practicable."
* http://www.oracle.com/technetwork/java/javase/2col/7u6-bugfixes-1733378.html

:fear:

AplusWebMaster · Aug 30, 2012

Java v7u7 / v6u35 released

FYI...

New critical Java flaw claimed
- http://www.theregister.co.uk/2012/09/26/gowdiak_claims_new_java_flaw/
26 Sep 2012- "Oracle's Java is making a play to wrest back the title of world's leakiest code from Internet Explorer, after Polish researcher Adam Gowdiak claimed another critical flaw exists in the product. The -new- claim is stated on the Full Disclosure mailing list where Gowdiak writes that the newly-found flaw impacts “all latest versions of Oracle Java SE software” and that it allows “a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7.” That's apparently worse than previous exploits, as they only hit Java 7..."
- http://arstechnica.com/security/201...w-allows-complete-bypass-of-security-sandbox/
Sep 25, 2012

Consider disabling Java* in your browser until the next update**.

* https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/

** https://isc.sans.edu/diary.html?storyid=14017

- http://www.oracle.com/technetwork/topics/security/alerts-086861.html
"For Oracle Java SE Critical Patch Updates, the next three dates are:
16 October 2012
19 February 2013
18 June 2013 ..."
___

Java v7u7 / v6u35 released
* http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-verbose-1835710.html
August 30, 2012

Risk Matrix
- http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html#AppendixJAVA
CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, CVE-2012-0547

- http://www.oracle.com/technetwork/java/javase/downloads/index.html

Java SE 7u7 JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre7u7-downloads-1836441.html
Changes in 1.7.0_7
- http://www.oracle.com/technetwork/java/javase/7u7-relnotes-1835816.html
"... Bug fixes: This release contains a security-in-depth fix. For more information, see Oracle Security Alert for CVE-2012-4681*..."
___

Java SE 6 Update 35 JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre6u35-downloads-1836473.html
Changes in 1.6.0_35
- http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html
"... Bug fixes: This release contains a security-in-depth fix. For more information, see Oracle Security Alert for CVE-2012-4681*..."
___

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4681 - 10.0 (HIGH)
Last revised: 09/01/2012 - "... as exploited in the wild in August 2012..."

:fear::fear:

AplusWebMaster · Oct 16, 2012

Java/Oracle pre-release announcement - October 2012

FYI...

- http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
"This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Java SE Critical Patch Update for October 2012, which will be released on Tuesday, October 16, 2012... This Critical Patch Update contains 30 new security fixes for Oracle Java SE. 29 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."

:fear::fear:

AplusWebMaster · Oct 16, 2012

Java JRE 7u9 / 6u37 released

FYI...

Java SE Critical Patch Update Advisory - October 2012
- http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
Oct 16, 2012

Java JRE 7u9 released
- http://www.oracle.com/technetwork/java/javase/downloads/jre7u9-downloads-1859586.html
Oct 16, 2012

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u9-relnotes-1863279.html

Java JRE 6 Update 37
- http://www.oracle.com/technetwork/java/javase/downloads/jre6u37-downloads-1859589.html
Oct 16, 2012

Release Notes
- http://www.oracle.com/technetwork/java/javase/6u37-relnotes-1863283.html

Java - October 2012 Risk Matrices
- http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html#AppendixJAVA
"This Critical Patch Update contains 30 new security fixes for Oracle Java SE. 29 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."
___

- http://atlas.arbor.net/briefs/index#1321617866
Severity: High Severity
October 17, 2012
Oracle releases Java security patches that should be applied as soon as possible.
Analysis: Given the damage that has been caused by malware infections and system intrusions caused by vulnerable versions of Java being exploited it is likely that the security holes patched herein will also be used by cyber-criminals, nation-state attackers and others in their quest to compromise systems and pursue a malicious agenda. Limiting the scope of browser-based Java to one specific browser that's only used on trusted applications and also wrapping Java on any Microsoft platform with a technology such as EMET to reduce the risk of future exploitation can help provide additional protection for this widely attacked software.

- http://www.securitytracker.com/id/1027672
CVE Reference: CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4416, CVE-2012-5067, CVE-2012-5068, CVE-2012-5069, CVE-2012-5070, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5074, CVE-2012-5075, CVE-2012-5076, CVE-2012-5077, CVE-2012-5078, CVE-2012-5079, CVE-2012-5080, CVE-2012-5081, CVE-2012-5082, CVE-2012-5083, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5089
Oct 17 2012
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
Version(s): 1.4.2_38 and prior, 5.0 Update 36 and prior, 6 Update 35, 7 Update 7 and prior
Impact: A remote user can take full control of the target system.
A remote user can access and modify data on the target system.
A remote user can cause partial denial of service conditions on the target system.
Solution: The vendor has issued a fix, described in the October 2012 Critical Patch Update advisory.
The vendor's advisory is available at:
http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html

- https://secunia.com/advisories/50949/
Release Date: 2012-10-17
Criticality level: Highly critical
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote
... vulnerabilities are reported in the following products:
* JDK and JRE 7 Update 7 and earlier.
* JDK and JRE 6 Update 35 and earlier.
* JDK and JRE 5.0 Update 36 and earlier.
* SDK and JRE 1.4.2_38 and earlier.
* JavaFX 2.2 and earlier.
Solution: Apply updates.
Original Advisory: Oracle:
http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
___

- http://javatester.org/
Oct 17, 2012 - "... not all known bugs were fixed..."

- http://blogs.computerworld.com/application-security/21173/ugly-side-latest-java-updates
Oct 18, 2012 -"... the ugly stuff. The biggest issue is that Oracle didn't patch all the known problems with Java. As a result, even these latest and greatest editions of Java remain vulnerable to a known critical flaw. Adam Gowdiak is the security researcher who found many of the recent flaws in Java. His last flaw became public knowledge on September 25th. Since the problem was exploitable on Java versions 5, 6 and 7, Gowdiak estimated that it put 1 billion users at risk. A couple security organizations, Heise and Kaspersky, have been in contact with Gowdiak about how well the latest versions of Java patch the flaws he discovered. Gowdiak told Heise Security "that a critical security hole that allows attackers to break out of the Java sandbox continues to exist in Java". He claims that Oracle told him that the just-released package of 30 bug fixes was "already in its final testing phase" when he reported the September 25th flaw. In other words, he was too late to the party. He told Kaspersky the same thing. The flaw that puts a billion users at risk won't be patched until February 19, 2013. This is not to suggest, in any way, ignoring the latest updates to Java. Just recognize that they make you safer (30 bugs were fixed) rather than safe..."

:fear::fear:

AplusWebMaster · Dec 12, 2012

AplusWebMaster · Jan 10, 2013

Java 0-Day exploit ...

FYI...

Java 0-Day exploit ...
- https://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
Jan 10, 2013 - "The hackers who maintain Blackhole and Nuclear Pack – competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they’ve added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java... According to both crimeware authors, the vulnerability exists in all versions of Java 7, including the latest — Java 7 Update 10... if you have Java installed, it would be a very good idea to unplug Java from your browser, or uninstall this program entirely if you don’t need it...
Update: Alienvault Labs* say they have reproduced and verified the claims of a new Java zero-day that exploits a vulnerability in fully-patched versions of Java 7."
* http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
Jan 10, 2013 - "... It seems both Blackhole and Nuclear Pack exploit kits are using this vulnerability in the wild..."
___

- http://www.kb.cert.org/vuls/id/625617
Last revised: 14 Jan 2013
Disabling Java in the Browser:
- http://www.java.com/en/download/help/disable_browser.xml

- https://www.us-cert.gov/cas/techalerts/TA13-010A.html
Last revised: 14 Jan 2013

> Uncheck this setting: https://www.java.com/en/img/download/enable_java.jpg
___

- https://secunia.com/advisories/51820/
Last Update: 2013-01-14
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution: Update to version 7 update 11.

- https://www.securelist.com/en/blog/208194070/Java_0day_Mass_Exploit_Distribution
"... There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem*... Metasploit developers have added an exploit module targeting this vulnerability CVE-2013-0422..."
* https://www.securelist.com/en/images/pictures/klblog/208194077.PNG

- http://www.securitytracker.com/id/1027972
CVE Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 - 10.0 (HIGH)
Updated: Jan 13 2013
Impact: Execution of arbitrary code via network, User access via network
Exploit Included: Yes
Version(s): 1.7 u10 and prior 1.7 versions
Solution: The vendor has issued a fix (7 Update 11)...

- http://blog.trendmicro.com/trendlab...day-exploit-in-the-wild-spreading-ransomware/
Jan 10, 2013 - "... Currently, this exploit is being used by toolkits like the Blackhole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK). CEK is the creation of the same author responsible for Blackhole Exploit Kit. It appears to be a high-end version of the more accessible BHEK. Zero-day exploits are first incorporated into CEK and only added into BHEK once they have been disclosed. It has been reported that CEK was being used to distribute ransomware, particularly Reveton variants..."

- https://www.symantec.com/security_response/threatconlearn.jsp

:fear::fear:

AplusWebMaster · Jan 14, 2013

Java v7u11 released

FYI...

Java v7u11 released - Download
- http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
Jan 13, 2013

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html
"... This release contains fixes for security vulnerabilities. For more information, see Oracle Security Alert for CVE-2013-0422*..."
* http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

> http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html#AppendixJAVA
2013-January 13

- https://blogs.oracle.com/security/entry/security_alert_for_cve_2013
Jan 13, 2013 - "... The vulnerabilities addressed with this Security Alert are CVE-2013-0422 and CVE-2012-3174. These vulnerabilities, which only affect Oracle Java 7 versions, are both remotely exploitable without authentication and have received a CVSS Base Score of 10.0. Oracle recommends that this Security Alert be applied as soon as possible because these issues may be exploited “in the wild” and some exploits are available in various hacking tools..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 - 10.0 (HIGH)
"... vulnerability in Oracle Java 7 before Update 11..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3174 - 10.0 (HIGH)
"... vulnerability in Oracle Java 7 before Update 11..."

:fear::fear:

AplusWebMaster · Jan 16, 2013

New Java 0-day exploit - 2013.01.16

FYI...

New Java 0-day exploit - $5,000 per Buyer
- https://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/
Jan 16, 2013 - "Less than 24 hours after Oracle patched a dangerous security hole in its Java software that was being used to seize control over Windows PCs, miscreants in the Underweb were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java... The hacker forum admin’s message... promised weaponized and source code versions of the exploit. This seller also said his Java 0day — in the latest version of Java (Java 7 Update 11) — was not yet part of any exploit kits, including the Cool Exploit Kit... this same thing happened not long after Oracle released a Java update in October; a few weeks later, a Java 0day was being sold to a few private users on this same Underweb forum..."
- http://www.nbcnews.com/technology/t...te-security-experts-say-bugs-remain-1B7956548
"... Some security consultants are advising businesses to remove Java from the browsers of all employees except for those who absolutely need to use the technology for critical business purposes. HD Moore... said it could take two years for Oracle to fix all the security bugs that have currently been identified in the version of Java that is used for surfing the Web..."

:fear::fear:

AplusWebMaster · Jan 18, 2013

Java 7u11 vulnerable ...

FYI...

Java 7u11 vulnerable
- http://seclists.org/fulldisclosure/2013/Jan/142
18 Jan 2013 - "... We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 [1] (JRE version 1.7.0_11-b21)... two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today [4] (along with a working Proof of Concept code)..."

- http://arstechnica.com/security/2013/01/critical-java-vulnerabilies-confirmed-in-latest-version/
Jan 18, 2013 - "... researchers have confirmed that the latest version of Oracle's Java software framework is vulnerable to Web hacks that allow attackers to install malware on end users' computers... As Ars has advised in the past, readers who have no use for Java should consider removing program plug-ins from their browsers, or uninstalling Java altogether from their computer..."

How to uninstall: https://www.java.com/en/download/uninstall.jsp

- http://www.securitytracker.com/id/1028019
Jan 19 2013
Impact: Execution of arbitrary code via network, User access via network
Vendor Confirmed: Yes
Version(s): 7 Update 11; possibly prior versions
Description: Two vulnerabilities were reported in Oracle Java. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create specially crafted Java content that, when loaded by the target user, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user.
The vendor was notified on January 18, 2013...
Solution: No solution was available at the time of this entry...

- http://www.hotforsecurity.com/blog/police-ransomware-becomes-java-0-day-borne-5032.html
Jan 14, 2013 - "... Exploit prevalence – breakdown by country for the past three days"
> http://www.hotforsecurity.com/wp-content/uploads/2013/01/exploit-distribution.png

- https://blogs.technet.com/b/mmpc/ar...nerability-cve-2013-0422.aspx?Redirected=true
20 Jan 2013 - "... since the public disclosure happened a few days ago, the samples and telemetry are increasing drastically, almost catching up with previous major Java vulnerabilities (CVE-2012-4681, CVE-2012-5076). The one notable thing is that we've started seeing multi-exploit samples combining CVE-2013-0422 and CVE-2012-1723*... The strategy of this combined exploit is that by sending one exploit code, they can cover any vulnerable Java 6 installations (up to JRE 6u32) and vulnerable Java 7 installations (up to JRE 7u10) at one time. As for JRE 7, CVE-2012-1723 is only applicable up to JRE 7u4, they can abuse CVE-2013-0422** to cover JRE 7u5 to 7u10 for exploitation..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1723 - 10.0 (HIGH)

** https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 - 10.0 (HIGH)

- http://atlas.arbor.net/briefs/index#848588693
Oracle's Java Patch Shipped with Additional Vulnerabilities...
Elevated Severity
January 23, 2013
The latest version of Java did not fully address the most recent security issue, and other issues have been found.
Analysis: Java is a very hot attack target for some time, implicated in many attacks ranging from commodity cybercrime to targeted espionage attacks. Properly hardening and restricting Java is critical if an organization requires it's use. If java, and other plug-ins are not required for core functionality, they should be removed from controlled environments in order to reduce security risks. The general principle of hardening included reducing the attack surface by giving attackers less to attack...
- http://atlas.arbor.net/briefs/index#753048269
Severity: High Severity
January 28, 2013
Java: still problematic despite progress being made.
Analysis: Containing Java is important - restrict it to browsers that are only used for sites that must require it. Click-to-run techniques inside modern browsers can help reduce the attack surface. Additionally, Java User-Agents crossing the wire in a post-compromise scenario can be detected and action taken when such activity is unexpected. Sniffing the wire for older versions of Java is even more effective, as the chance of a compromise traffic is even higher.
Source: http://seclists.org/fulldisclosure/2013/Jan/241?

:sad: :fear::fear:

AplusWebMaster · Feb 1, 2013

Java v7u13 released

FYI...

Java v7u13 released
- http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
Feb 1, 2013

JRE 7u13
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html

- https://www.java.com/en/download/manual.jsp

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u13-relnotes-1902884.html
This release contains fixes for security vulnerabilities. For more information, see Oracle Java SE Critical Patch Update Advisory*.

* http://www.oracle.com/technetwork/topics/security/javacpufeb2013verbose-1841196.html

- http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html#AppendixJAVA

- https://blogs.oracle.com/security/entry/february_2013_critical_patch_update
Feb 01, 2013 - "... contains fixes for -50- security vulnerabilities. 44 of these vulnerabilities only affect client deployment of Java..."

Oracle Java SE Critical Patch Update Advisory - February 2013
- http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
Note: The original Critical Patch Update for Java SE – February 2013 was scheduled to be released on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update...

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1489 - 10.0 (HIGH)
___

JRE 6u39
- http://www.oracle.com/technetwork/java/javase/downloads/jre6downloads-1902815.html

- http://www.oracle.com/technetwork/java/javase/6u39-relnotes-1902886.html
___

- http://www.securitytracker.com/id/1028071
CVE Reference: CVE-2012-1541, CVE-2012-1543, CVE-2012-3213, CVE-2012-3342, CVE-2012-4301, CVE-2012-4305, CVE-2013-0351, CVE-2013-0409, CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0431, CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0436, CVE-2013-0437, CVE-2013-0438, CVE-2013-0439, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0444, CVE-2013-0445, CVE-2013-0446, CVE-2013-0447, CVE-2013-0448, CVE-2013-0449, CVE-2013-0450, CVE-2013-1472, CVE-2013-1473, CVE-2013-1474, CVE-2013-1475, CVE-2013-1476, CVE-2013-1477, CVE-2013-1478, CVE-2013-1479, CVE-2013-1480, CVE-2013-1481, CVE-2013-1482, CVE-2013-1483, CVE-2013-1489
Feb 1 2013
Impact: Denial of service via network, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 5.0 Update 38 and prior; 6 Update 38 and prior; 7 Update 11 and prior...
Solution: The vendor has issued a fix as part of the Oracle Java SE Critical Patch Update Advisory for February 2013. The vendor's advisory is available at:
- http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

- http://www.kb.cert.org/vuls/id/858729
Last Updated: 05 Feb 2013
___

- https://blogs.oracle.com/security/entry/updates_to_february_2013_critical#
Update Feb 08, 2013: "... As a result of the accelerated release of the Critical Patch Update, Oracle did not include a small number of fixes initially intended for inclusion in the February 2013 Critical Patch Update for Java SE. Oracle is therefore planning to release an updated version of the February 2013 Critical Patch Update on the initially scheduled date. This updated February 2013 Critical Patch Update will be published on February 19th..."

:fear::fear:

AplusWebMaster · Feb 19, 2013

Java 7u15 released

FYI...

- https://secure.dslreports.com/forum/r28039102-
2013-02-23 - "With the last 2 Java updates on my XP box (7_13 & 7_15), I received the offer of a McAfee Security Scan which I declined. The same updates on my Vista box offered the installation of the Ask.com toolbar which I also declined..."

- https://encrypted.google.com/
Tag-along software installs
"... About 35,500,000 results..." < 3.15.2013
___

IBM Java Multiple Vulnerabilities
- https://secunia.com/advisories/52308/
Release Date: 2013-03-01
Criticality level: Highly critical
Impact: Privilege escalation, DoS, System access, Manipulation of data, Exposure of sensitive information
Where: From remote...
Original Advisory: http://www.ibm.com/developerworks/java/jdk/alerts/
___

Java 7u15 released - JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
Feb 19, 2013

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u15-relnotes-1907738.html

JDK
- http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html

Java v7 Update 15
- https://www.java.com/en/download/manual.jsp

Risk Matrix
- http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html#AppendixJAVA

- https://blogs.oracle.com/security/entry/updated_february_2013_critical_patch
Feb 19, 2013
___

Java JRE v6 Update 41
- http://www.oracle.com/technetwork/java/javase/downloads/jre6downloads-1902815.html
___

- http://www.securitytracker.com/id/1028155
CVE Reference: CVE-2013-1484, CVE-2013-1485, CVE-2013-1486, CVE-2013-1487
Feb 19 2013
Impact: Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 1.4.2_41 and prior, 5.0 Update 39 and prior, 6 Update 39, 7 Update 13 and prior

:fear:

AplusWebMaster · Feb 25, 2013

New Java 0-day bugs

FYI...

Two new Java 0-day bugs
- https://www.computerworld.com/s/article/9237124/Researcher_unearths_two_new_Java_zero_day_bugs
Feb 25, 2013 - "... Oracle shipped Java 7 Update 15 (7u15) on Feb. 19, bundling patches first released in a Feb. 1 emergency update with fixes for five more vulnerabilities. The -new- vulnerabilities affect only Java 7... Java 6, which Oracle has officially retired from support, does not contain the bugs... security experts today again urged users to disable or even uninstall Java..."
- http://nakedsecurity.sophos.com/2013/02/25/zero-day-vulnerabilities-java/
Feb 25, 2013 - "... the flaws could be exploited to completely bypass Java's security sandbox and infect computers..."

- http://arstechnica.com/security/201...roblems-new-flaw-identified-old-one-attacked/
Feb 25, 2013 - "... users who don't need Java should consider uninstalling it, or at least the Java plug-ins used to run Java content in Web browsers..."
___

- http://atlas.arbor.net/briefs/index#230624733
Elevated Severity
Feb 26, 2013
More security troubles for Java.
Analysis: Restricting Java is an important step in protecting your enterprise. Monitoring it's use on the network can indicate exploitation calling back to a malware Command & Control server. Patches are being issued, however it's wise to restrict Java as much as possible and provide additional hardening if it must be used..."

- http://h-online.com/-1810990
26 Feb 2013

:sad::fear::fear:

AplusWebMaster · Mar 1, 2013

Current Java new attack ...

FYI...

Current Java new attack...
- http://h-online.com/-1814716
01 March 2013 - "... FireEye reports* that cyber criminals are exploiting previously unknown vulnerabilities in the -current- Java versions to deploy malware... The hole is found -both- in Java version 7 update 15 and in version 6 update 41...
To protect themselves, users can completely uninstall Java or at least disable it in their browser..."
* http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html

- https://www.virustotal.com/en/file/...3169ea968818ec811faf72b322d9bcf94b8/analysis/
File name: Inst.exe
Detection ratio: 24/46
Analysis date: 2013-03-01

New Java 0-Day Attack Echoes Bit9 Breach
- https://krebsonsecurity.com/2013/03/new-java-0-day-attack-echoes-bit9-breach/
Mar 1, 2013 - 110.173.55.187

- https://secunia.com/advisories/52451/
Release Date: 2013-03-02
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
CVE Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1493
... vulnerability is reported in version 7 update 15 and version 6 update 41. Other versions may also be affected.
Solution: No official solution is currently available.
Provided and/or discovered by: Reported as a 0-day.

AplusWebMaster · Mar 4, 2013

Java JRE 7u17 released

FYI...

There are a dozen known flaws in Java ...
- http://blogs.computerworld.com/malware-and-vulnerabilities/21883/there-are-dozen-known-flaws-java
March 10, 2013 - "The last time Oracle released a new version of Java was less than a week ago (March 4th). Yet, there are already a dozen known, un-patched bugs in this latest release (Java 7 update 17)..."
___

Java JRE 7u17 released
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
Mar 4, 2013

- https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493
Mar 4, 2013 - "Today Oracle released Security Alert CVE-2013-1493 to address two vulnerabilities affecting Java running in web browsers (CVE-2013-1493 and CVE-2013-0809). One of these vulnerabilities (CVE-2013-1493) has recently been reported as being actively exploited by attackers..."

- http://www.oracle.com/technetwork/java/javase/7u17-relnotes-1915289.html

Risk Matrix
- http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html#AppendixJAVA

JDK 7u17
- http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
___

Java 6 Update 43
- http://www.oracle.com/technetwork/java/javase/downloads/jre6downloads-1902815.html

- https://secunia.com/advisories/52451/
Last Update: 2013-03-06
Criticality level: Extremely critical
Impact: System access
Where: From remote...
CVE Reference(s):
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0809 - 10.0 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1493 - 10.0 (HIGH)
Solution: http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html#AppendixJAVA
___

- http://seclists.org/fulldisclosure/2013/Mar/38
Mar 4, 2013 - "... 5 -new- security issues were discovered in Java SE 7..."

:fear::fear:

AplusWebMaster · Apr 16, 2013

Oracle Java Pre-Release Announcement - April 2013

FYI...

Oracle Java SE Critical Patch Update Pre-Release Announcement - April 2013
- http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Apr 15, 2013 - "This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Java SE Critical Patch Update for April 2013, which will be released on Tuesday, April 16, 2013... this Critical Patch Update contains -42- new security vulnerability fixes..."

:fear:

AplusWebMaster · Apr 16, 2013

Java JRE 7u21, 6u45 released

FYI...

- http://www.symantec.com/connect/blogs/java-exploit-cve-2013-2423-coverage
Updated: 26 Apr 2013 - "... this vulnerability is now seen as a high priority... Please be aware of -malware- that masquerades as software updates and patches - only download the patch from the official website."

Current version always shown here:
- https://www.java.com/en/download/manual.jsp
___

Java JRE 7u21
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
April 16, 2013

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u21-relnotes-1932873.html

- https://blogs.oracle.com/security/entry/april_2013_critical_patch_update1
Apr 16, 2013

Oracle Java SE Critical Patch Update Advisory - April 2013
- http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html#AppendixJAVA
April 16, 2013 - "This Critical Patch Update contains 42 new security fixes for Oracle Java SE. 39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."

Recommended Version 7 Update 21
- https://www.java.com/en/download/manual.jsp

- https://krebsonsecurity.com/2013/04/java-update-plugs-42-security-holes/
April 16, 2013 - "... contains 42 new security fixes for Oracle Java SE. A majority of these flaws are browse-to–a-hacked-site-and-get-infected vulnerabilities..."

Java JRE 6 Update 45
- http://www.oracle.com/technetwork/java/javase/downloads/jre6downloads-1902815.html
___

Java 7 Update 21 is available - Watch for Behaviour Changes
- https://isc.sans.edu/diary.html?storyid=15620
2013-04-16 - "... Oracle has significantly changed how Java runs with this version. Java now requires code signing, and will pop up brightly coloured dialogue boxes if your code is not signed. They now alert on unsigned, signed-but-expired and self-signed certificates. We'll even need to click "OK" when we try to download and execute signed and trusted Java... graphics you can expect to see once you update are:
> https://isc.sans.edu/diaryimages/images/expired_cert.jpg
> https://isc.sans.edu/diaryimages/images/unsigned_cert.jpg
Full details on the new run policy can be found here ==>
- https://www.java.com/en/download/help/appsecuritydialogs.xml
And more information can be found here ==>
- http://www.oracle.com/technetwork/java/javase/tech/java-code-signing-1915323.html "

Dangerous defaults let certificates stay unchecked.
- http://www.h-online.com/security/ne...stricts-applets-1843558.html?view=zoom;zoom=2
17 April 2013
___

- http://www.securitytracker.com/id/1028434
CVE Reference: CVE-2013-0401, CVE-2013-0402, CVE-2013-1488, CVE-2013-1491, CVE-2013-1518, CVE-2013-1537, CVE-2013-1540, CVE-2013-1557, CVE-2013-1558, CVE-2013-1561, CVE-2013-1563, CVE-2013-1564, CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, CVE-2013-2394, CVE-2013-2414, CVE-2013-2415, CVE-2013-2416, CVE-2013-2417, CVE-2013-2418, CVE-2013-2419, CVE-2013-2420, CVE-2013-2421, CVE-2013-2422, CVE-2013-2423, CVE-2013-2424, CVE-2013-2425, CVE-2013-2426, CVE-2013-2427, CVE-2013-2428, CVE-2013-2429, CVE-2013-2430, CVE-2013-2431, CVE-2013-2432, CVE-2013-2433, CVE-2013-2434, CVE-2013-2435, CVE-2013-2436, CVE-2013-2438, CVE-2013-2439, CVE-2013-2440
Apr 16 2013
Impact: Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 5.0 Update 41, 6 Update 43, 7 Update 17; and prior versions...
Solution: The vendor has issued a fix (6 Update 45, 7 Update 21)...
___

- http://www.f-secure.com/weblog/archives/00002544.html
April 23, 2013 - "A few days after Oracle released a critical patch, CVE-2013-2423* is found to (have) already been exploited. Upon checking the history, the exploitation seems to have begun on April 21st and is still actively happening... the Metasploit module was published on the 20th... the exploit was seen in the wild the day after..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2423

:fear:

Java JRE updates/advisories

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member