Java Day Exploit

Name: ITC Secure Networking
Address: 10th Floor, 5 Churchill Pl, Canary Wharf, London, E14 5HU, United Kingdom
Telephone: 020 7517 3900
Price range: Competitive

Java Day Exploit
This Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert TA13-010A – Oracle Java 7 Security Manager Bypass Vulnerability) and another vulnerability affecting Java running in web browsers. These vulnerabilities do not apply to Java running on servers, standalone or embedded Java applications.

This Java vulnerability is due to improper security protections on built-in classes in the Java Runtime Environment. An unsigned Java applet can use the setSecurityManager() function to bypass security checks and access an elevated security context.

This vulnerability could allow unauthenticated, remote attacker to execute arbitrary code on a targeted system with the privileges of a user.

Technical details of this exploit can be found here

Affected Product Releases and Versions
JDK and JRE 7 Update 10 and earlier
Note: JDK and JRE 6, 5.0 and 1.4.2, and Java SE Embedded JRE releases are not affected.
This exploit affects both Windows and Mac.

The Solution
Java 7 Update 11 fixes a critical flaw (CVE-2013-0422) in Java 7 Update 10 and earlier versions of Java 7. The update is available via Oracle’s Web site, or can be downloaded from with Java via the Java Control Panel. Existing users should be able to update by visiting the Windows Control Panel and clicking the Java icon, or by searching for “Java” and clicking the “Update Now” button from the Update tab. Apple have dropped Java (i.e. removed it from Safari) meaning that users have to explicitly install it since late last year, impacting BYOD strategies for SSL VPN Juniper clients which utilise a Java host scan.

References
http://blogs.technet.com/b/mmpc/archive/2013/01/20/a-technical-analysis-of-a-new-java-vulnerability-cve-2013-0422.aspx
http://krebsonsecurity.com/tag/cve-2013-0422/
https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
http://blogs.cisco.com/security/new-java-vulnerability-being-exploited-in-the-wild/
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html#PatchTable

Building competitive advantage

Java Day Exploit

Related Posts

How to get the most from your security investments

Microsoft Outlook Elevation of Privilege – CVE-2023-23397

Find out how we can make your digital world a safer place to do business.

Java Day Exploit

Related Posts

Managing identity permissions and risks in a multicloud environment

Navigating the complex world of IAM and cloud security

How to get the most from your security investments

Microsoft Outlook Elevation of Privilege – CVE-2023-23397

Find out how we can make your digital world a safer place to do business.