Java 0-Day patched as Java 7 U 11 released
Oracle has released Java Update 11 which addresses the 0-day vulnerability referenced CVE-2013-0422.
Release notes are available on the Oracle Web Site.
The release also contains a reminder to 'reactivate' your Java installation in the control panel if you turned it off, or to reactivate it in Firefox. Watch for the rush now.
Thanks to Michael and PSZ for the heads-up.
Steve
×
Diary Archives
Comments
I ran the uninstaller in CCleaner just because the Word out there was sounding a bit scary.
And I removed all remnants in the folders in windows manually and with JAVARA.
raproducts.org/wordpress/
Now I'm downloading the Versions so I can Re-Install them.
Thank You,
BC
MrClarke
Jan 14th 2013
1 decade ago
Personally, I would recommend, for most people, that the browser plugin be left turned off permanently if possible.
(Definitely update, or uninstall, however)
Most users will rarely require a site that uses java applets, so keep java plugin shut off if at all possible; even with the vuln patched it should be seen as a big risk, due to Java's apparently inadequate sandboxing.
The harder problem is the MS Internet Explorer vulnerabilities.
Mysid
Jan 14th 2013
1 decade ago
http://www.stuff.co.nz/technology/digital-living/8175388/Java-update-still-has-bugs-says-expert
Doug
Jan 14th 2013
1 decade ago
KGH
Jan 14th 2013
1 decade ago
MarlonBorba
Jan 14th 2013
1 decade ago
Follow CERT guidance on disabling it in the IE Internet zone http://www.kb.cert.org/vuls/id/636312
Cricket
Jan 14th 2013
1 decade ago
Don't install it unless you need it. Less than 0.2% of public websites need it (W2Tech http://w3techs.com/technologies/overview/client_side_language/all)
Follow CERT guidance on disabling it in the IE Internet zone http://www.kb.cert.org/vuls/id/636312
posted by Cricket, Mon Jan 14 2013, 16:25 ]
^^^^^
If what Cricket says is true;
Then why are we bothering to use this piece of work?
I'm going to unwind it altogether.
Mr.H.E.Clarke,III
MrClarke
Jan 14th 2013
1 decade ago
The current Java7update 11 release update only fixes CVE-2012-3174; CVE-2013-0422 remains intact and Java 7 is still vulnerable. All an attacker need do is mix a new cocktail using the CVE-2012-3174 vulnerability plus a new twist and here we go all over again.
Immunity products has already verified this here -
http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html
toymaster
Jan 15th 2013
1 decade ago
18 Jan 2013 - "... We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 [1] (JRE version 1.7.0_11-b21)... two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today [4] (along with a working Proof of Concept code)..."
.
PC.Tech
Jan 19th 2013
1 decade ago