New Java 0day exploited in the wild

  • Thread starter Thread starter MowGreen
  • Start date Start date
M

MowGreen

http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/


Researchers: Java Zero-Day Leveraged Two Flaws
http://krebsonsecurity.com/2012/08/java-exploit-leveraged-two-flaws/

" “There are 2 different zero-day vulnerabilities used in this exploit,”
Guillardoy wrote in a lengthy analysis of the exploit. “The beauty of
this bug class is that it provides 100% reliability and is
multi-platform. Hence this will shortly become the penetration test
Swiss knife for the next couple of years (as did its older brother
CVE-2008-5353).”

Not long after news broke that miscreants were exploiting an unpatched
security hole in Java to break into PCs, I began seeing tweets from
non-Windows users urging people to switch to Mac OS X or Linux.
Unfortunately, this latest Java exploit has been shown to work
flawlessly to compromise browsers on all three operating systems.

According to Rapid7, the Java exploit found being used in targeted
attacks (CVE-2012-4681) is now available as a plug-in to Metasploit, a
free software tool built to test the security of networks. Rapid7 said
the exploit has been successfully tested to work against nearly all
browser configurations on Windows systems, and against Safari on OS X
10.7.4 and Mozilla Firefox on Ubuntu Linux 10.04. "

The vulnerabilities ONLY exist in Java 1.7 .
Reverting to JRE 1.6 and/or disabling web brower java plugins are the
only mitigation steps available at present.

Oracle updates their JREs on a quarterly schedule. The next update is
due October 16th. According to their Security Fixing Policies web page -
http://www.oracle.com/us/support/assurance/fixing-policies/index.html

" Oracle may issue a Security Alert in the case of a unique or dangerous
threat to our customers. In this event, customers will be notified of
the Security Alert by email notification through My Oracle Support and
Oracle Technology Network. The fix included in the Security Alert will
also be included in the next Critical Patch Update. "




MowGreen
================
*-343-* FDNY
Never Forgotten
================
 
MowGreen said:
http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/



Researchers: Java Zero-Day Leveraged Two Flaws
http://krebsonsecurity.com/2012/08/java-exploit-leveraged-two-flaws/

" “There are 2 different zero-day vulnerabilities used in this exploit,”
Guillardoy wrote in a lengthy analysis of the exploit. “The beauty of
this bug class is that it provides 100% reliability and is
multi-platform. Hence this will shortly become the penetration test
Swiss knife for the next couple of years (as did its older brother
CVE-2008-5353).”

Not long after news broke that miscreants were exploiting an unpatched
security hole in Java to break into PCs, I began seeing tweets from
non-Windows users urging people to switch to Mac OS X or Linux.
Unfortunately, this latest Java exploit has been shown to work
flawlessly to compromise browsers on all three operating systems.

According to Rapid7, the Java exploit found being used in targeted
attacks (CVE-2012-4681) is now available as a plug-in to Metasploit, a
free software tool built to test the security of networks. Rapid7 said
the exploit has been successfully tested to work against nearly all
browser configurations on Windows systems, and against Safari on OS X
10.7.4 and Mozilla Firefox on Ubuntu Linux 10.04. "

The vulnerabilities ONLY exist in Java 1.7 .
Reverting to JRE 1.6 and/or disabling web brower java plugins are the
only mitigation steps available at present.

Oracle updates their JREs on a quarterly schedule. The next update is
due October 16th. According to their Security Fixing Policies web page -
http://www.oracle.com/us/support/assurance/fixing-policies/index.html

" Oracle may issue a Security Alert in the case of a unique or dangerous
threat to our customers. In this event, customers will be notified of
the Security Alert by email notification through My Oracle Support and
Oracle Technology Network. The fix included in the Security Alert will
also be included in the next Critical Patch Update. "




MowGreen
================
*-343-* FDNY
Never Forgotten
================


Published 2012-August-30

Oracle Security Alert for CVE-2012-4681
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html#AppendixJAVA

" Due to the severity of these vulnerabilities, the public disclosure of
technical details and the reported exploitation of CVE-2012-4681 "in the
wild," Oracle strongly recommends that customers apply the updates
provided by this Security Alert as soon as possible.

Users running Java SE with a browser can download the latest JRE 7
release from http://java.com/. Users on the Windows platform can also
use automatic updates to get the latest JRE 7 and 6 releases "

The link to manually download the latest JRE 7 release is here:

http://www.oracle.com/technetwork/java/javase/downloads/index.html

" Java SE 7u7
This releases address security concerns. Oracle strongly recommends
that all Java SE 7 users upgrade to this release.

Java SE 6 Update 35
This releases address security concerns. Oracle strongly recommends
that all Java SE 6 users upgrade to this release. "

For the typical Users ("consumers" ), the downloads are under the JRE
heading or, just head to http://java.com.

Be sure that NO additional toolbars/anti-malware scanners/ or other
assorted "fluff" is checked or it will piggy back on the java installation.
If one wants the other "fluff" installed, then bend over and allow it. ;)

MowGreen
================
*-343-* FDNY
Never Forgotten
================
 
Back
Top