Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us

    Oracle recently released a security advisory for a critical patch for Java, which updates Java 7 to Update 13. (Users of the older Java 6 also received an update, taking them to Update 39.) Accordingly, this advisory addresses several vulnerabilities for the following affected products:

    • JDK and JRE 7 Update 11 and earlier
    • JDK and JRE 6 Update 38 and earlier
    • JDK and JRE 5.0 Update 38 and earlier
    • SDK and JRE 1.4.2_40 and earlier
    • JavaFX 2.2.4 and earlier

    Fifty vulnerabilities were patched in this update. According to Oracle, one of these vulnerabilities is already being exploited in the wild, which is why the update was released early (instead of February 19 as originally scheduled).

    We believe that the targeted vulnerability is a Java Security Slider vulnerability, which is covered in CVE-2013-1489. It does not necessarily lead to exploitation but when combined with other vulnerabilities can actually lead to a ‘blind’ exploitation. For instance, when the Security Slider is set to the default (high) all unsigned applets must be authorized via a dialog box by a browser user in order to execute. This provides the browser operator the opportunity to prevent execution of suspicious applets that may result in successful exploits. However, when CVE-2013-1489 is combined with vulnerabilities that can be used to cause direct impacts, the effect can be that the impact can be caused “silently” without the authorization dialog box.

    Just last month, Oracle released a security fix for the Java zero-day for CVE-2013-0422. The said fix is ‘incomplete’ due to an issue in findclass, method of com.sun.jmx.mbeanserver.MBeanInstantiator class which can possibly open a security hole when combined to another vulnerability. Similar to the Java Security Slider vulnerability, on its own, it cannot be exploited.

    While this vulnerability does not pose risk on its own, it is highly recommended that users download and install the latest version on their systems immediately.  For enterprises and users who need to use Java, you can refer to this post for tips.

    With additional inputs from Vulnerability researcher Pavithra Hanchagaiah





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice