DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 11th January 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,674
Thanked 214 Times in 189 Posts
Default Zero day Java exploit being used in the wild

This effects all versions of Oracle Java (JRE 1.7 Update 10 and earlier), including both the JRE and JRE browser plugins.

From US DHS CERT:
Quote:
This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available.

Impact


By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds:


Disable Java in web browsers


Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.
Reply With Quote
  #2   (View Single Post)  
Old 11th January 2013
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,068
Thanked 198 Times in 156 Posts
Default

To quote a certain bowl of petunias:
"Oh no, not again".
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #3   (View Single Post)  
Old 13th January 2013
Ninguem Ninguem is offline
Shell Scout
 
Join Date: Jun 2011
Posts: 136
Thanked 0 Times in 0 Posts
Default

Why is it called "In the wild"?

Are there a bunch of crazed woodland creatures passing away their time hacking and not hibernating?

Serious side: Java has been and is known for running on most architectures and being able to affect them. An exploit on a SPARC64 machine can be used to control i386 clients. Did the particular developer of the code in question test it for vulnerabilities?
Sometimes there should be more people like deRaadt when it comes to code.
__________________
No signature
Reply With Quote
  #4   (View Single Post)  
Old 14th January 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,674
Thanked 214 Times in 189 Posts
Default

Oracle issued an emergency update over the weekend (JRE 7 Update 11) which some reports have called insufficient. Here's an in-depth article.
Reply With Quote
  #5   (View Single Post)  
Old 14th January 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,142
Thanked 182 Times in 149 Posts
Default

From another site : http://www.networkworld.com/communit...ke-2-years-fix

Quote:
Oracle releases emergency Java patch; experts warn flaws may take 2 years to fix

Oracle released an emergency patch for Java, but security experts warn the patch doesn't fix all critical vulnerabilities. Not counting future Java exploits, the current Java bugs may take '2 years' to fully fix. In fact, US-CERT advises, "Unless it is absolutely necessary to run Java in web browsers, disable it, even after updating to 7u11."
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #6   (View Single Post)  
Old 14th January 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,674
Thanked 214 Times in 189 Posts
Default

To be clear, the security flaw affects JRE as well as the JRE plugin; the press is focused on the plugin but if I understand the problem there is still a risk with JRE (non-plugin) if it is used as a Client in a Client/Server HTML application.
Reply With Quote
  #7   (View Single Post)  
Old 17th January 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,142
Thanked 182 Times in 149 Posts
Default

According to Another Java zero-day vulnerability apparently available the problems with Java are still not over ....
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #8   (View Single Post)  
Old 20th January 2013
Ninguem Ninguem is offline
Shell Scout
 
Join Date: Jun 2011
Posts: 136
Thanked 0 Times in 0 Posts
Default

The problem with Java is so apparent that one of my friends who is not into computers/OSes/architectures as I am had mentioned it.
__________________
No signature
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Oracle releases emergency fixes for Java 0day exploit J65nko News 0 30th August 2012 10:19 PM
Security New Adobe Reader zero-day in the wild J65nko News 1 8th December 2011 08:22 PM
Dev goes 'Wild' with H.264 Firefox J65nko News 0 19th May 2010 09:43 PM
Zero day exploit for Firefox 3.6 J65nko News 1 19th February 2010 06:58 PM
vbox: possible exploit Mr-Biscuit Other BSD and UNIX/UNIX-like 9 18th October 2008 06:33 PM


All times are GMT. The time now is 04:50 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick