Dons Deals

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 14 January 2013

Java Vulnerability Note VU#625617 - Java 7 fails to restrict access to privileged code

Posted on 16:27 by Unknown
This is an unusually Strong Warning about a Java Vulnerability. Read on...

Don

Vulnerability Note VU#625617

Java 7 fails to restrict access to privileged code

Original Release date: 10 Jan 2013 | Last revised: 14 Jan 2013

Print Document
Tweet
Like Me
Share

Overview

Java 7 Update 10 and earlier versions of Java 7 contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems. OpenJDK is an open-source implementation of the Java platform, and the IcedTea project aims to make it easier to deploy OpenJDK, including a web browser plugin.

The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document states, "If there is a security manager already installed, this method first calls the security manager's checkPermission method with a RuntimePermission("setSecurityManager") permission to ensure it's safe to replace the existing security manager. This may result in throwing a SecurityException".

By leveraging the a vulnerability in the Java Management Extensions (JMX) MBean components, unprivileged Java code can access restricted classes. By using that vulnerability in conjunction with a second vulnerability involving recursive use of the Reflection API via the invokeWithArguments method of the MethodHandle class, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently IcedTea, are also affected. The invokeWithArguments method was introduced with Java 7, so therefore Java 6 is not affected.

This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available. We have confirmed that Windows, OS X, and Linux platforms are affected. Other platforms that use Oracle Java 7 may also be affected.

Impact

By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability.

Solution

Read More...
http://www.kb.cert.org/vuls/id/625617

References

  • https://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/
  • http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
  • http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
  • http://seclists.org/bugtraq/2013/Jan/48
  • http://seclists.org/fulldisclosure/2013/Jan/77
  • http://www.security-explorations.com/materials/SE-2012-01-ORACLE-5.pdf
  • http://docs.oracle.com/javase/7/docs/api/java/lang/invoke/MethodHandle.html#invokeWithArguments%28java.util.List%29
  • http://www.java.com/en/download/help/disable_browser.xml
  • https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
  • https://blogs.oracle.com/security/entry/security_alert_for_cve_2013
  • http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
  • http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html
  • https://bugzilla.redhat.com/show_bug.cgi?id=894172
  • https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
  • http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html
  • https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224

Credit

Thanks to Kafeine for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2013-0422
  • Date Public: 10 Jan 2013
  • Date First Published: 10 Jan 2013
  • Date Last Updated: 14 Jan 2013
  • Document Revision: 107

Report a Vulnerability

Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.

News 01-14-13
Magic eye spectrum analyzer
A Bluetooth trackpad from a resistive touchscreen
This has not been a good week for the hacker community
Aaron Swartz death: #pdftribute hashtag aggregates copyrighted articles released online in tribute to internet activist.
Oracle releases patch for Java after U.S. government warning - The Washington Post
Security Firm Discovers Cyber-Spy Campaign - NYTimes.com
Aaron Swartz, a Data Crusader and Now, a Cause - NYTimes.com
Linux Today - Has Google Become Institution-Bound?
Things Linux: Has Google Become Institution-Bound?
Linux Today - Gentoo: A Linux Distribution Where You Compile Your Own Optimized Software
Gentoo: A Linux Distribution Where You Compile Your Own Optimized Software
Linux Today - KDE Workspaces and Applications 4.10 on live images courtesy of openSUSE
KDE Workspaces and Applications 4.10 on live images courtesy of openSUSE | dennogumi.org
Krell Introduces Foundation 7.1-Channel AV Processor
Department of Homeland Security: Disable Java 'Unless It Is Absolutely Necessary' - NYTimes.com
Vulnerability Note VU#625617 - Java 7 fails to restrict access to privileged code
Linux Today - Track Photo Locations on Android Device using GPS Map
Track Photo Locations on Android Device using GPS Map « Scribbles and Snaps
Linux Today - The 10 oldest, significant open source programs
The 10 oldest, significant open-source programs | ZDNet
Linux Today - Touchscreen proliferation could open desktop to Android
Touchscreen proliferation could open desktop to Android | PCWorld
Type4me is a hardware clipboard for your digital copy and paste needs
Unwrapping images of cylindrical objects
Papercraft dial is the slide-ruler of current limiting resistors
Insentricity :: Electronics ::

Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • ZigBee - a specification for a suite of high level communication protocols used to create personal area networks built from small low-power digital radios
    ZigBee From Wikipedia, the free encyclopedia Jump to: navigation , search ZigBee ...
  • Open Sorce Hardware - The Wandboard is a low cost board based on the i.MX6 multicore ARM Cortex-A9 family of processors. In consists of a core module based on the EDM standard and a simple to extend baseboard
    Here's an Open Source Wandboard - Freescale i.MX6 ARM Cortex-A9 Opensource Community Development Board. The Wandboard is a low ...
  • 1967 Chevy Camaro Complete Rebuild - Videos, HowStuffWorks Videos "NAPA Videos"
    Video Playlist - West Coast Customs Shop, Completely Tears Down a 1967 Chevy Camaro and then does a Complete Rebuild...
  • Installing and Updating GRUB 2 in Fedora Linux
    This Page has allot of info on Installing, Updating and Trouble Shooting Grub 2 in Fedora Linux. There are some good How To's for...
  • Dynaco Stereo 400 Power Amplifier - Dead Channel Fix - Dynaco Repairs For PC-28 Amplifier Boards
    My Dynaco Stereo 400 Amp... The Page Below these e-mails with Kevin Boales. Looks like the one that I found. Back in ...
  • Open source PLC's - PLC (programmable logic controller)
    Here's some Great Looking Open source PLC Projects. The OSPLC Small & Large Bricks are open-source PLC (programmable logic ...
  • Running a PXE Boot Server in Parted Magic
    Here's some good info on Running PXE Boot Server in Parted Magic... Don PXE – Parted Magic PXE PXE: the "classic" way ...
  • Building a Brushless Motor Controller using an ATmega Chip - by Davide Gironi
    Here's a very in depth Article on Building a Brushless Motor Controller using an ATmega Chip - by Davide Gironi... Do...
  • How To Clean or Replace The (potentiometer or "pot") Controls On Your Guitar Amplifier
    How To Clean The Controls On Your Amplifier 3 Author: Teslaphonics ...
  • VUE32 - open source controller for the peripherals of an electric car
    This open source controller for the peripherals of an electric car. Looks like it could save an EV Builder allot of time and ...

Blog Archive

  • ▼  2013 (354)
    • ►  December (12)
    • ►  November (33)
    • ►  October (23)
    • ►  September (46)
    • ►  August (52)
    • ►  July (36)
    • ►  June (45)
    • ►  May (17)
    • ►  April (38)
    • ►  March (19)
    • ►  February (22)
    • ▼  January (11)
      • DDClient is a Perl client used to update dynamic D...
      • Web, the Open Source Web Browser, by Gnome
      • TI SimpleLink TI CC3000 WiFi module and Vincent's ...
      • Tutorial on how to update from Fedora 17 to Fedora...
      • GRUB2 runlevel 3 – Howto Change runlevel on GRUB2
      • Copyright Trolls Strike Again! - Your video is blo...
      • A guide to teaching NoSQL databases to undergradua...
      • Terms of Service; Didn't Read
      • Java Vulnerability Note VU#625617 - Java 7 fails t...
      • Coreboot, formerly known as LinuxBIOS - The Soluti...
      • Rescatux and Super Grub Disk
  • ►  2012 (145)
    • ►  December (27)
    • ►  November (31)
    • ►  October (14)
    • ►  September (15)
    • ►  August (48)
    • ►  July (10)
Powered by Blogger.

About Me

Unknown
View my complete profile