Someone Posted January 11, 2013 Posted January 11, 2013 Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems. The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document states, "If there is a security manager already installed, this method first calls the security manager's checkPermission method with a RuntimePermission("setSecurityManager") permission to ensure it's safe to replace the existing security manager. This may result in throwing a SecurityException". By leveraging unspecified vulnerabilities involving Java Management Extensions (JMX) MBean components and sun.org.mozilla.javascript.internal objects, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier are affected. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available. Impact By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Solution We are currently unaware of a practical solution to this problem. Please consider the following workarounds: http://www.us-cert.gov/current/ In my area a nation wide alert has been issued, encouraging to disable Java in browsers ASAP Quote
Gang-Life Posted January 27, 2013 Posted January 27, 2013 http://www.us-cert.gov/current/ In my area a nation wide alert has been issued, encouraging to disable Java in browsers ASAP There was also some in 9,8,7,6,5, nothing new. there will always be vuln w/ java no matter what Quote
Someone Posted January 27, 2013 Author Posted January 27, 2013 Just not everyday they put out national alert. Checked the source of the alert it was way more hyped that the US one. The alert focused on that many web banks use Java for the login proccess, but most of the security risk was related to the dev kit. Quote
lucky3809 Posted January 27, 2013 Posted January 27, 2013 Firefox disabled it automatically. It's been a threat since last year. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.