InfoSec News

According to a posting yesterday by Adam Gowdiak of Security Explorations to Full Disclosure, Java 7 Update 11 (CVE-2013-0422) is still vulnerable as [...] a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21).[1]

The MBeanInstantiator bug hasnt yet been addressed. Yesterday, Security Exploration reported two more vulnerabilities to Oracle along with Proof of Concept code (issue 50 and 51) [3].

We received several comments from our readers after the patch was released [4], how many of you have followed CERTs advice to disable Java content in their web browsers after they updated to 7u11? Please take a minute to answer our poll, What is your main concern about Java?

[1] http://seclists.org/fulldisclosure/2013/Jan/142

[2] http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

[3] http://www.security-explorations.com/en/SE-2012-01-status.html

[4] https://isc.sans.edu/diary/Java+0-Day+patched+as+Java+7+U+11+released/14932

[5] http://www.kb.cert.org/vuls/id/625617

[6] http://www.java.com/en/download/help/disable_browser.xml


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

I will be teaching SEC 503 in Toronto this coming June
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Within a week of Oracle closing a recently publicised Java hole by releasing an out-of-schedule patch, a security expert says that he has found another attack vector. Meanwhile, malicious code is masquerading as a Java update

Phone service is obsolete, says Mike Elgan and wireless carriers are holding him back. Here's why he wants Google to be his phone company.
Microsoft on Friday announced Windows 8 upgrade price increases of as much as 400% that will take effect Feb. 1, when a three-month promotional discount ends.
In the week ending 19 January - Mozilla and Apple unplug Java plugins, Oracle fixes 86 vulnerabilities across its product range, Fedora 18 is released and reviewed by Thorsten Leemhuis, and Operation Red October is uncovered

Internet Storm Center Infocon Status