Critical 0-Day Java Bug "Massively Exploited"

Discussion in 'other security issues & news' started by Mman79, Jan 10, 2013.

Thread Status:
Not open for further replies.
  1. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Just
    Another
    Vulnerability
    Added

    :mad:
     
  2. ravnen

    ravnen Registered Member

    Joined:
    Mar 2, 2009
    Posts:
    17
    Hello

    You can download Version 7 Update 11 now on java.com
     
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,517
    Location:
    Canada
    Thanks for the update, ravnen!

    This version now displays a pop-up warning, even after the usual prompt to allow java permission to run...
     

    Attached Files:

  4. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,103
    Location:
    on my zx10-r
    JAVA UPDATE HIGHLY RECC TO UPDATE 7 UPDATE 11

    Download page here:

    http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html

    changelog here:
    Bug Fixes

    This release contains fixes for security vulnerabilities. For more information, see Oracle Security Alert for CVE-2013-0422.

    In addition, the following change has been made:

    Area: deploy
    Synopsis: Default Security Level Setting Changed to High
    The default security level for Java applets and web start applications has been increased from "Medium" to "High". This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the "High" setting the user is always warned before any unsigned application is run to prevent silent exploitation.

    http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html

    this should be considered a urgent update and if you do use java this should be done immediately.
     
  5. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    Re: JAVA UPDATE HIGHLY RECC TO UPDATE 7 UPDATE 11

    Okay, who else is putting money on this update opening up another hole or being an incomplete patch?
     
  6. brave71_heart

    brave71_heart Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    6
    Thanks for the reply...
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,517
    Location:
    Canada
    source
     
  8. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    :thumb:
     
  9. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    It just will not die die die.:blink: Can someone please exploit it so it vanishes.
     
  10. encus

    encus Registered Member

    Joined:
    Nov 2, 2009
    Posts:
    535
    :D :D
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    OK. Maybe it disappears, but then what? Are you going to wish for the next big thing to disappear as well, and so on and so forth? Eventually, no one will be able to use nothing. :argh:

    This kind of comment always makes me think of those who wish Facebook never existed. If it weren't Facebook, it would be something else, and if it goes away one day, some other service will become the new target about their privacy, etc.

    The problems with Java is that there's no proper sandbox, no working auto-update mechanism, slow patching. If they solve these 3, users will be a lot safer (those who may not even realize they got it installed).
     
  12. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
  13. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Java 7 update 11 security patch fixes nothing.
    Article
     
  14. LeafsMan

    LeafsMan Registered Member

    Joined:
    Sep 7, 2012
    Posts:
    9
    Location:
    Canada
    I agree. last time I checked they have not even made a statement about the situation.
     
  15. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,909
    Location:
    USA
    If Java 7 Update 11 64-bit for 64-bit versions of Windows and Linux are no good what about Java 7 update 11 for Windows and Linux 32 bit?
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,517
    Location:
    Canada
    I'm hoping to witness one of these exploit attempts in action on my setup, but it just never happens :(
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It would never work if you were expecting it.
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,517
    Location:
    Canada
    Sure, I'll give it a chance to leap into action :D
     
  19. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    I don't believe there's and differentiation between 32 and 64 bit. I cannot comment on Linux. The patch has been a total fizzle.
     
  20. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Re: JAVA UPDATE HIGHLY RECC TO UPDATE 7 UPDATE 11

    Should be an easy bet.
     
  21. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,198
    Location:
    Pennsylvania.
    If one went to safe sites would they be safe or would there be a slight chance they could be compromised? Soofly is wondering what to do, she tried disabling it in Waterfox but then Facebook didn't let her see her messages and it kept asking to enable it over and over with constant loading.
     
  22. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    I have no trouble at all finding malware on legit sites including the webmail page of an ISP (flash ad malware).

    I have seen exploits attack on ebaumsworld, okcupid and failblog. If its got ads the site is not safe.
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,986
    Location:
    California
    In addition to ad malware, sites can be compromised with embedded code to redirect the victim to the cybercriminal's site which hosts the Java exploit.

    See this explanation from last year:

    http://blog.shadowserver.org/2012/0...s-trusted-websites-serving-dangerous-results/

    It shows that one exploit uses a hidden iframe in the web page to redirect to a Java exploit.

    Scroll down a bit to the "Exploit Chain" screen shot.


    ----
    rich
     
  24. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
  25. pajenn

    pajenn Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    930
    That security level slider was present in the previous version (v 7 update 10) too, but now with update 11 the recommended (default?) setting has been changed from Medium to High.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.