Java Security Breach

“Java 7 Update 10 and earlier Java 7 versions contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.”

“This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available. We have confirmed that Windows, OS X, and Linux platforms are affected. Other platforms that use Oracle Java 7 may also be affected.”

http://www.us-cert.gov/cas/techalerts/TA13-010A.html

http://www.kb.cert.org/vuls/id/62561

 

VN:R_U [1.9.22_1171]
Rating: 0 (from 0 votes)
  1. Timbuk3’s avatar

    Thanks for this info.

    According to jo’s link, “the flaw was found in Java 7, Oracle told sister site CNET in a statement that the flaw does not exist in older versions of the software.”

    I’ve been getting a nag to update my Java for a while now, but I’ve always hesitated to update Java. It seems like it always causes problems. So, I’m still safely on version 6.

    VN:R_U [1.9.22_1171]
    Rating: 0 (from 0 votes)
  2. jo6pac’s avatar

    I was getting the same thing but stayed on 6 for some reason and now I know why.

    VN:R_U [1.9.22_1171]
    Rating: 0 (from 0 votes)
  3. Oralloy’s avatar

    They are only going to release security updates for Java 6 through the end of February 2013:

    Java SE 6 End of Public Updates Notice

    After February 2013, Oracle will no longer post updates of Java SE 6 to its public download sites. Existing Java SE 6 downloads already posted as of February 2013 will remain accessible in the Java Archive on Oracle Technology Network. Developers and end-users are encouraged to update to more recent Java SE versions that remain available for public download. For enterprise customers, who need continued access to critical bug fixes and security fixes as well as general maintenance for Java SE 6 or older versions, long term support is available through Oracle Java SE Support .

    http://www.oracle.com/technetwork/java/javase/eol-135779.html#Java6-end-public-updates

    VN:R_U [1.9.22_1171]
    Rating: 0 (from 0 votes)
  4. Uniformityville_horror’s avatar

    I just turned off Java days ago. On all devices.

    VN:R_U [1.9.22_1171]
    Rating: 0 (from 0 votes)
  5. Timbuk3’s avatar

    Oracle releases software update to fix Java vulnerability

    Oracle released an emergency software update today to fix a security vulnerability in its Java software that could give allow attackers to break into computers.

    The update, which is available on Oracle’s Web site, fixes a critical vulnerability in Oracle’s Java 7 that could allow a remote, unauthenticated attacker to execute arbitrary code. The attack can be induced if someone visits a Web site that’s been set up with malicious code to take advantage of the hole.

    VN:R_U [1.9.22_1171]
    Rating: 0 (from 0 votes)
  6. Oralloy’s avatar

    I decided to roll back to Java 6:

    http://www.java.com/en/download/manual_v6.jsp

    They’ll be updating it at least until the end of February.

    And it’ll probably be safe a little while beyond that, since the platform is so mature, with all the bugs already worked out, and since all the hackers will be mainly focused on trying to compromise Java 7.

    If in a few months it feels necessary to go to Java 7 to keep getting security updates, I’ll at least have given them a few months’ time to better work the bugs out of Java 7.

    VN:R_U [1.9.22_1171]
    Rating: 0 (from 0 votes)
  7. Timbuk3’s avatar

    “I decided to roll back to Java 6″

    Good move, good advice, good link. Thanks.

    VN:R_U [1.9.22_1171]
    Rating: 0 (from 0 votes)
  8. Oralloy’s avatar

    Java 6 has an update. (So does Java 7.)

    http://www.java.com/en/download/manual_v6.jsp

    I’m not sure if this is a new exploit being fixed, or a better fix for the previous exploit (and am too tired to figure out which it is), but I see that they are saying it fixes an exploit that is “in the wild”.

    VN:R_U [1.9.22_1171]
    Rating: 0 (from 0 votes)
  9. Oralloy’s avatar

    The last update ever for Java 6 has been released:

    Version 6 Update 41

    It will only be available for download for a day or two (I believe), as the Java 6 download page is scheduled to be taken down at the end of this month.

    https://www.java.com/en/download/manual_v6.jsp

    Possibly in a month or two everyone will want to move to Java 7, as from here on out it will be the only one with security patches available.

    But if anyone wants to have the “final” most secure version of Java 6 on hand just in case you ever want to install it, now’s the time to download whatever versions you want.

    (I don’t think I’ll ever use Linux, but I’m going to grab both the 32 and 64 bit versions for Windows.)

    VN:R_U [1.9.22_1171]
    Rating: +1 (from 1 vote)
  10. Timbuk3’s avatar

    Thanks, U-man.

    VN:R_U [1.9.22_1171]
    Rating: 0 (from 0 votes)
  11. Oralloy’s avatar

    Another bit of info:

    If you don’t want Java 6 to “automatically update” to Java 7 before you’re ready to switch, you will want to turn off Java automatic updates.

    But that is easier said than done in Windows, because the Java control panel needs to be “run as administrator”, otherwise it will just ignore any change you make to the updates section. And you can’t “run as administrator” from the regular control panel.

    In order to run the Java control panel “as administrator” you have to start it from the command prompt (the old DOS window), as explained here:

    http://www.java.com/en/download/help/javacpl.xml

    (Remember to run the command prompt “as administrator” when you start it.)

    VN:R_U [1.9.22_1171]
    Rating: 0 (from 0 votes)
  12. Oralloy’s avatar

    Despite already having released the last Java 6 ever, they found this exploit already being used “in the wild”:
    http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html

    So they have released a NEW “last ever” version of Java 6:

    Java 6 Update 43

    http://www.java.com/en/download/manual_v6.jsp

    Incidentally, regarding my previous post on the instructions how to prevent Java 6 from automatically updating to Java 7, I found going through the DOS window according to the official instructions tedious.

    So on a whim I tried just going directly to that “javacpl.exe” program, right-clicking it, and choosing the run-as-administrator option on the menu.

    It worked.

    VN:R_U [1.9.22_1171]
    Rating: +1 (from 1 vote)
  13. Timbuk3’s avatar

    Thanks, Uz-man. I’m having trouble with playing videos, lately, and I’m sure it’s related to these java problems.

    VN:R_U [1.9.22_1171]
    Rating: 0 (from 0 votes)
  14. Oralloy’s avatar

    Another security breach, another “last ever” update of Java 6:

    Java 6 Update 45

    http://www.java.com/en/download/manual_v6.jsp

    In a way it’s getting funny the way they keep saying “this is our last update ever”, as they continue to produce new updates.

    But I’m glad for the continued updates.

    VN:R_U [1.9.22_1171]
    Rating: +1 (from 1 vote)

Reply