Don
Vulnerability Note VU#625617
Java 7 fails to restrict access to privileged code
Overview
Java 7 Update 10 and earlier versions of Java 7 contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems. OpenJDK is an open-source implementation of the Java platform, and the IcedTea project aims to make it easier to deploy OpenJDK, including a web browser plugin. The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document states, "If there is a security manager already installed, this method first calls the security manager's checkPermission method with a RuntimePermission("setSecurityManager") permission to ensure it's safe to replace the existing security manager. This may result in throwing a SecurityException". |
Impact
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability. |
Solution
Read More...http://www.kb.cert.org/vuls/id/625617
References
- https://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/
- http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
- http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
- http://seclists.org/bugtraq/2013/Jan/48
- http://seclists.org/fulldisclosure/2013/Jan/77
- http://www.security-explorations.com/materials/SE-2012-01-ORACLE-5.pdf
- http://docs.oracle.com/javase/7/docs/api/java/lang/invoke/MethodHandle.html#invokeWithArguments%28java.util.List%29
- http://www.java.com/en/download/help/disable_browser.xml
- https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
- https://blogs.oracle.com/security/entry/security_alert_for_cve_2013
- http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
- http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html
- https://bugzilla.redhat.com/show_bug.cgi?id=894172
- https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
- http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html
- https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224
Credit
Thanks to Kafeine for reporting this vulnerability.
This document was written by Will Dormann.
Other Information
- CVE IDs: CVE-2013-0422
- Date Public: 10 Jan 2013
- Date First Published: 10 Jan 2013
- Date Last Updated: 14 Jan 2013
- Document Revision: 107
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.
- News 01-14-13
- Magic eye spectrum analyzer
- A Bluetooth trackpad from a resistive touchscreen
- This has not been a good week for the hacker community
- Aaron Swartz death: #pdftribute hashtag aggregates copyrighted articles released online in tribute to internet activist.
- Oracle releases patch for Java after U.S. government warning - The Washington Post
- Security Firm Discovers Cyber-Spy Campaign - NYTimes.com
- Aaron Swartz, a Data Crusader and Now, a Cause - NYTimes.com
- Linux Today - Has Google Become Institution-Bound?
- Things Linux: Has Google Become Institution-Bound?
- Linux Today - Gentoo: A Linux Distribution Where You Compile Your Own Optimized Software
- Gentoo: A Linux Distribution Where You Compile Your Own Optimized Software
- Linux Today - KDE Workspaces and Applications 4.10 on live images courtesy of openSUSE
- KDE Workspaces and Applications 4.10 on live images courtesy of openSUSE | dennogumi.org
- Krell Introduces Foundation 7.1-Channel AV Processor
- Department of Homeland Security: Disable Java 'Unless It Is Absolutely Necessary' - NYTimes.com
- Vulnerability Note VU#625617 - Java 7 fails to restrict access to privileged code
- Linux Today - Track Photo Locations on Android Device using GPS Map
- Track Photo Locations on Android Device using GPS Map « Scribbles and Snaps
- Linux Today - The 10 oldest, significant open source programs
- The 10 oldest, significant open-source programs | ZDNet
- Linux Today - Touchscreen proliferation could open desktop to Android
- Touchscreen proliferation could open desktop to Android | PCWorld
- Type4me is a hardware clipboard for your digital copy and paste needs
- Unwrapping images of cylindrical objects
- Papercraft dial is the slide-ruler of current limiting resistors
- Insentricity :: Electronics ::
0 comments:
Post a Comment