Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us

    Oracle has just released its security update for June 2013 — a release that comprises of 40 security updates, with 37 of them addressing vulnerabilities that lead to malware execution. Also among the updates is one that fixes a vulnerability found in Javadoc tool — a documentation generator and is commonly used in websites.

    The said vulnerability, also identified as CVE-2013-1571, can be used to steal important user data by injecting an attacker controlled frame in generated Javadoc HTML page. This vulnerability is also known as Frame Injection vulnerability.

    Javadoc is a tool that generates .HTML documentation from Javadoc comments in the code. The vulnerability is due to a defect in the JavaScript code that is included as part of the HTML pages generated by the Javadoc tool. Hence all the websites using such HTML pages can be used by an attacker to steal their user data or to install malware by redirecting an unsuspecting user to attacker-controlled website.

    Oracle released two fixes in their June 2013 Oracle Java SE Critical Patch Update to address this vulnerability. The first is an updated Javadoc tool, while the second is a fix-in-place tool that patches the vulnerability from pages generated by Javadoc without having to regenerate existing JavaDocs. Needless to say, we strongly advise customers to apply the fixes the soonest possible.

    Trend Micro Deep Security customers are advised to update to the latest update DSRU13-020. The following Deep Security rule 1005553 – Oracle JavaDoc Frame Injection Vulnerability addresses the said issue.

    Hat tip to CERT for sharing the necessary information with us.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice