Critical 0-Day Java Bug "Massively Exploited"

Just
Another
Vulnerability
Added

 

Hello

You can download Version 7 Update 11 now on java.com

 

Thanks for the update, ravnen!

This version now displays a pop-up warning, even after the usual prompt to allow java permission to run...

 

JAVA UPDATE HIGHLY RECC TO UPDATE 7 UPDATE 11

Download page here:

http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html

changelog here:
Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Security Alert for CVE-2013-0422.

In addition, the following change has been made:

Area: deploy
Synopsis: Default Security Level Setting Changed to High
The default security level for Java applets and web start applications has been increased from "Medium" to "High". This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the "High" setting the user is always warned before any unsigned application is run to prevent silent exploitation.

http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html

this should be considered a urgent update and if you do use java this should be done immediately.

 

Re: JAVA UPDATE HIGHLY RECC TO UPDATE 7 UPDATE 11

Okay, who else is putting money on this update opening up another hole or being an incomplete patch?

 

Thanks for the reply...

 

source

 

It just will not die die die. Can someone please exploit it so it vanishes.

 

OK. Maybe it disappears, but then what? Are you going to wish for the next big thing to disappear as well, and so on and so forth? Eventually, no one will be able to use nothing.

This kind of comment always makes me think of those who wish Facebook never existed. If it weren't Facebook, it would be something else, and if it goes away one day, some other service will become the new target about their privacy, etc.

The problems with Java is that there's no proper sandbox, no working auto-update mechanism, slow patching. If they solve these 3, users will be a lot safer (those who may not even realize they got it installed).

 

Java 8 Build b72 (Preview Release)

 

Java 7 update 11 security patch fixes nothing.

• Article

 

I agree. last time I checked they have not even made a statement about the situation.

 

If Java 7 Update 11 64-bit for 64-bit versions of Windows and Linux are no good what about Java 7 update 11 for Windows and Linux 32 bit?

 

I'm hoping to witness one of these exploit attempts in action on my setup, but it just never happens

 

It would never work if you were expecting it.

 

Sure, I'll give it a chance to leap into action

 

I don't believe there's and differentiation between 32 and 64 bit. I cannot comment on Linux. The patch has been a total fizzle.

 

Re: JAVA UPDATE HIGHLY RECC TO UPDATE 7 UPDATE 11

Should be an easy bet.

 

If one went to safe sites would they be safe or would there be a slight chance they could be compromised? Soofly is wondering what to do, she tried disabling it in Waterfox but then Facebook didn't let her see her messages and it kept asking to enable it over and over with constant loading.

 

I have no trouble at all finding malware on legit sites including the webmail page of an ISP (flash ad malware).

I have seen exploits attack on ebaumsworld, okcupid and failblog. If its got ads the site is not safe.

 

In addition to ad malware, sites can be compromised with embedded code to redirect the victim to the cybercriminal's site which hosts the Java exploit.

See this explanation from last year:

http://blog.shadowserver.org/2012/0...s-trusted-websites-serving-dangerous-results/

It shows that one exploit uses a hidden iframe in the web page to redirect to a Java exploit.

Scroll down a bit to the "Exploit Chain" screen shot.


----
rich

 

U.S. says Java still risky, even after security update

 

That security level slider was present in the previous version (v 7 update 10) too, but now with update 11 the recommended (default?) setting has been changed from Medium to High.