|
Oracle has released Java Update 11 which addresses the 0-day vulnerability referenced CVE-2013-0422. Release notes are available on the Oracle Web Site. The release also contains a reminder to 'reactivate' your Java installation in the control panel if you turned it off, or to reactivate it in Firefox. Watch for the rush now. Thanks to Michael and PSZ for the heads-up. Steve
|
Stephen 89 Posts ISC Handler |
| Subscribe |
Jan 13th 2013 7 years ago |
|
Thanks for the report.
I ran the uninstaller in CCleaner just because the Word out there was sounding a bit scary. And I removed all remnants in the folders in windows manually and with JAVARA. raproducts.org/wordpress/ Now I'm downloading the Versions so I can Re-Install them. Thank You, BC |
Anonymous |
| Quote |
Jan 14th 2013 7 years ago |
|
" The release also contains a reminder to 'reactivate' your Java installation in the control panel if you turned it off, or to reactivate it in Firefox. Watch for the rush now."
Personally, I would recommend, for most people, that the browser plugin be left turned off permanently if possible. (Definitely update, or uninstall, however) Most users will rarely require a site that uses java applets, so keep java plugin shut off if at all possible; even with the vuln patched it should be seen as a big risk, due to Java's apparently inadequate sandboxing. The harder problem is the MS Internet Explorer vulnerabilities. |
Mysid 146 Posts |
| Quote |
Jan 14th 2013 7 years ago |
|
Haven't researched it but this just hit a news site here in NZ
http://www.stuff.co.nz/technology/digital-living/8175388/Java-update-still-has-bugs-says-expert |
Doug 2 Posts |
| Quote |
Jan 14th 2013 7 years ago |
|
To Doug's point, this issue might not be completely resolved--> http://www.zdnet.com/security-experts-on-java-fixing-zero-day-exploit-could-take-two-years-7000009756/
|
Resist0r 1 Posts |
| Quote |
Jan 14th 2013 7 years ago |
|
I won't reactive it. PERIOD.
|
MarlonBorba 3 Posts |
| Quote |
Jan 14th 2013 7 years ago |
|
Don't install it unless you need it. Less than 0.2% of public websites need it (W2Tech http://w3techs.com/technologies/overview/client_side_language/all)
Follow CERT guidance on disabling it in the IE Internet zone http://www.kb.cert.org/vuls/id/636312 |
MarlonBorba 7 Posts |
| Quote |
Jan 14th 2013 7 years ago |
|
[
Don't install it unless you need it. Less than 0.2% of public websites need it (W2Tech http://w3techs.com/technologies/overview/client_side_language/all) Follow CERT guidance on disabling it in the IE Internet zone http://www.kb.cert.org/vuls/id/636312 posted by Cricket, Mon Jan 14 2013, 16:25 ] ^^^^^ If what Cricket says is true; Then why are we bothering to use this piece of work? I'm going to unwind it altogether. Mr.H.E.Clarke,III |
MarlonBorba 20 Posts |
| Quote |
Jan 14th 2013 7 years ago |
|
7u11 only fixes the current o-day, but not the underlying vulnerability.
The current Java7update 11 release update only fixes CVE-2012-3174; CVE-2013-0422 remains intact and Java 7 is still vulnerable. All an attacker need do is mix a new cocktail using the CVE-2012-3174 vulnerability plus a new twist and here we go all over again. Immunity products has already verified this here - http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html |
toymaster 13 Posts |
| Quote |
Jan 15th 2013 7 years ago |
|
- http://seclists.org/fulldisclosure/2013/Jan/142
18 Jan 2013 - "... We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 [1] (JRE version 1.7.0_11-b21)... two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today [4] (along with a working Proof of Concept code)..." . |
Jack 160 Posts |
| Quote |
Jan 19th 2013 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!
