M
MowGreen
http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/
Researchers: Java Zero-Day Leveraged Two Flaws
http://krebsonsecurity.com/2012/08/java-exploit-leveraged-two-flaws/
" “There are 2 different zero-day vulnerabilities used in this exploit,”
Guillardoy wrote in a lengthy analysis of the exploit. “The beauty of
this bug class is that it provides 100% reliability and is
multi-platform. Hence this will shortly become the penetration test
Swiss knife for the next couple of years (as did its older brother
CVE-2008-5353).”
Not long after news broke that miscreants were exploiting an unpatched
security hole in Java to break into PCs, I began seeing tweets from
non-Windows users urging people to switch to Mac OS X or Linux.
Unfortunately, this latest Java exploit has been shown to work
flawlessly to compromise browsers on all three operating systems.
According to Rapid7, the Java exploit found being used in targeted
attacks (CVE-2012-4681) is now available as a plug-in to Metasploit, a
free software tool built to test the security of networks. Rapid7 said
the exploit has been successfully tested to work against nearly all
browser configurations on Windows systems, and against Safari on OS X
10.7.4 and Mozilla Firefox on Ubuntu Linux 10.04. "
The vulnerabilities ONLY exist in Java 1.7 .
Reverting to JRE 1.6 and/or disabling web brower java plugins are the
only mitigation steps available at present.
Oracle updates their JREs on a quarterly schedule. The next update is
due October 16th. According to their Security Fixing Policies web page -
http://www.oracle.com/us/support/assurance/fixing-policies/index.html
" Oracle may issue a Security Alert in the case of a unique or dangerous
threat to our customers. In this event, customers will be notified of
the Security Alert by email notification through My Oracle Support and
Oracle Technology Network. The fix included in the Security Alert will
also be included in the next Critical Patch Update. "
MowGreen
================
*-343-* FDNY
Never Forgotten
================
Researchers: Java Zero-Day Leveraged Two Flaws
http://krebsonsecurity.com/2012/08/java-exploit-leveraged-two-flaws/
" “There are 2 different zero-day vulnerabilities used in this exploit,”
Guillardoy wrote in a lengthy analysis of the exploit. “The beauty of
this bug class is that it provides 100% reliability and is
multi-platform. Hence this will shortly become the penetration test
Swiss knife for the next couple of years (as did its older brother
CVE-2008-5353).”
Not long after news broke that miscreants were exploiting an unpatched
security hole in Java to break into PCs, I began seeing tweets from
non-Windows users urging people to switch to Mac OS X or Linux.
Unfortunately, this latest Java exploit has been shown to work
flawlessly to compromise browsers on all three operating systems.
According to Rapid7, the Java exploit found being used in targeted
attacks (CVE-2012-4681) is now available as a plug-in to Metasploit, a
free software tool built to test the security of networks. Rapid7 said
the exploit has been successfully tested to work against nearly all
browser configurations on Windows systems, and against Safari on OS X
10.7.4 and Mozilla Firefox on Ubuntu Linux 10.04. "
The vulnerabilities ONLY exist in Java 1.7 .
Reverting to JRE 1.6 and/or disabling web brower java plugins are the
only mitigation steps available at present.
Oracle updates their JREs on a quarterly schedule. The next update is
due October 16th. According to their Security Fixing Policies web page -
http://www.oracle.com/us/support/assurance/fixing-policies/index.html
" Oracle may issue a Security Alert in the case of a unique or dangerous
threat to our customers. In this event, customers will be notified of
the Security Alert by email notification through My Oracle Support and
Oracle Technology Network. The fix included in the Security Alert will
also be included in the next Critical Patch Update. "
MowGreen
================
*-343-* FDNY
Never Forgotten
================
