Java Day Exploit

Java Day Exploit
This Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert TA13-010A – Oracle Java 7 Security Manager Bypass Vulnerability) and another vulnerability affecting Java running in web browsers. These vulnerabilities do not apply to Java running on servers, standalone or embedded Java applications.

This Java vulnerability is due to improper security protections on built-in classes in the Java Runtime Environment. An unsigned Java applet can use the setSecurityManager() function to bypass security checks and access an elevated security context.

This vulnerability could allow unauthenticated, remote attacker to execute arbitrary code on a targeted system with the privileges of a user.

Technical details of this exploit can be found here

Affected Product Releases and Versions
JDK and JRE 7 Update 10 and earlier
Note: JDK and JRE 6, 5.0 and 1.4.2, and Java SE Embedded JRE releases are not affected.
This exploit affects both Windows and Mac.

The Solution
Java 7 Update 11 fixes a critical flaw (CVE-2013-0422) in Java 7 Update 10 and earlier versions of Java 7. The update is available via Oracle’s Web site, or can be downloaded from with Java via the Java Control Panel. Existing users should be able to update by visiting the Windows Control Panel and clicking the Java icon, or by searching for “Java” and clicking the “Update Now” button from the Update tab. Apple have dropped Java (i.e. removed it from Safari) meaning that users have to explicitly install it since late last year, impacting BYOD strategies for SSL VPN Juniper clients which utilise a Java host scan.