Java 7 Update 11 Still has a Flaw
According to a posting yesterday by Adam Gowdiak of Security Explorations to Full Disclosure, Java 7 Update 11 (CVE-2013-0422) is still vulnerable as "[...] a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21)."[1]
The MBeanInstantiator bug hasn't yet been addressed. Yesterday, Security Exploration reported two more vulnerabilities to Oracle along with Proof of Concept code (issue 50 and 51) [3].
We received several comments from our readers after the patch was released [4], how many of you have followed CERT's advice to disable Java content in their web browsers after they updated to 7u11? Please take a minute to answer our poll, What is your main concern about Java?
[1] http://seclists.org/fulldisclosure/2013/Jan/142
[2] http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
[3] http://www.security-explorations.com/en/SE-2012-01-status.html
[4] https://isc.sans.edu/diary/Java+0-Day+patched+as+Java+7+U+11+released/14932
[5] http://www.kb.cert.org/vuls/id/625617
[6] http://www.java.com/en/download/help/disable_browser.xml
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
I will be teaching SEC 503 in Toronto this coming June
Comments
Sean
Jan 19th 2013
1 decade ago
SimonT
Jan 20th 2013
1 decade ago
Visi
Jan 21st 2013
1 decade ago
The digital ID only requires it for the user to enter username/password, then presents a challenge, and accepts a manually entered response from the 2-factor device. So basicly a simple HTML 0.9 FORM with POST.
I almost hope there will be targeted attacks against Denmark, such that the government can do away with the Java requirement. The banks (who has a backdoor to the backend) uses simple forms on their mobile solutions, so it should be easy to implement.
PHP
Jan 21st 2013
1 decade ago
StephenG
Jan 21st 2013
1 decade ago
Java 1.7.0_11 still has vulnerabilities, but they're newly discovered ones, and the exploit code is not in the wild.
That's if I understood the posting correctly...
df
Jan 21st 2013
1 decade ago
"The patch did stop the exploit, fixing one of its components. But an attacker with enough knowledge of the Java code base and the help of another zero day bug to replace the one fixed can easily continue compromising users."
Guy
Jan 22nd 2013
1 decade ago
Laurie
Jan 22nd 2013
1 decade ago
I love the title of the diary.. "Java [...] still has _a_ flaw". I'm sure it still has a few hundred flaws, and with Oracle's fixing speed, we'll probably have a few years' worth of advisories and patching left. Replacing that broken tech is probably the only solution that is going to work in the long run.
Visi
Jan 22nd 2013
1 decade ago