Java 0-Day patched as Java 7 U 11 released - SANS Internet Storm Center

Java 0-Day patched as Java 7 U 11 released
Oracle has released Java Update 11 which addresses the 0-day vulnerability referenced CVE-2013-0422. Release notes are available on the Oracle Web Site. The release also contains a reminder to 'reactivate' your Java installation in the control panel if you turned it off, or to reactivate it in Firefox. Watch for the rush now. Thanks to Michael and PSZ for the heads-up. Steve	Stephen 89 Posts Jan 13th 2013
Thread locked Subscribe	Jan 13th 2013 9 years ago
Thanks for the report. I ran the uninstaller in CCleaner just because the Word out there was sounding a bit scary. And I removed all remnants in the folders in windows manually and with JAVARA. raproducts.org/wordpress/ Now I'm downloading the Versions so I can Re-Install them. Thank You, BC	Anonymous
Quote	Jan 14th 2013 9 years ago
" The release also contains a reminder to 'reactivate' your Java installation in the control panel if you turned it off, or to reactivate it in Firefox. Watch for the rush now." Personally, I would recommend, for most people, that the browser plugin be left turned off permanently if possible. (Definitely update, or uninstall, however) Most users will rarely require a site that uses java applets, so keep java plugin shut off if at all possible; even with the vuln patched it should be seen as a big risk, due to Java's apparently inadequate sandboxing. The harder problem is the MS Internet Explorer vulnerabilities.	Mysid 146 Posts
Quote	Jan 14th 2013 9 years ago
Haven't researched it but this just hit a news site here in NZ http://www.stuff.co.nz/technology/digital-living/8175388/Java-update-still-has-bugs-says-expert	Doug 2 Posts
Quote	Jan 14th 2013 9 years ago
To Doug's point, this issue might not be completely resolved--> http://www.zdnet.com/security-experts-on-java-fixing-zero-day-exploit-could-take-two-years-7000009756/	Resist0r 1 Posts
Quote	Jan 14th 2013 9 years ago
I won't reactive it. PERIOD.	MarlonBorba 3 Posts
Quote	Jan 14th 2013 9 years ago
Don't install it unless you need it. Less than 0.2% of public websites need it (W2Tech http://w3techs.com/technologies/overview/client_side_language/all) Follow CERT guidance on disabling it in the IE Internet zone http://www.kb.cert.org/vuls/id/636312	MarlonBorba 7 Posts
Quote	Jan 14th 2013 9 years ago
[ Don't install it unless you need it. Less than 0.2% of public websites need it (W2Tech http://w3techs.com/technologies/overview/client_side_language/all) Follow CERT guidance on disabling it in the IE Internet zone http://www.kb.cert.org/vuls/id/636312 posted by Cricket, Mon Jan 14 2013, 16:25 ] ^^^^^ If what Cricket says is true; Then why are we bothering to use this piece of work? I'm going to unwind it altogether. Mr.H.E.Clarke,III	MarlonBorba 20 Posts
Quote	Jan 14th 2013 9 years ago
7u11 only fixes the current o-day, but not the underlying vulnerability. The current Java7update 11 release update only fixes CVE-2012-3174; CVE-2013-0422 remains intact and Java 7 is still vulnerable. All an attacker need do is mix a new cocktail using the CVE-2012-3174 vulnerability plus a new twist and here we go all over again. Immunity products has already verified this here - http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html	toymaster 13 Posts
Quote	Jan 15th 2013 9 years ago
- http://seclists.org/fulldisclosure/2013/Jan/142 18 Jan 2013 - "... We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 [1] (JRE version 1.7.0_11-b21)... two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today [4] (along with a working Proof of Concept code)..." .	Jack 160 Posts
Quote	Jan 19th 2013 9 years ago