Main Nav

Message from j-braden@tamu.edu

http://isc.sans.edu/diary/Not+so+fast+Java+7+Update+7+critical+vulnerabi... +discovered+in+less+than+24+hours/14017 Polish security firm Security Explorations has sent an advisory, with a proof-of-concept exploit, to Oracle today (Friday 31 AUG) specific to a vulnerability they discovered in the Java 7 security update released Thursday. This newly reported vulnerability can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system. Standby for more on this one, no word yet from Oracle regarding their remediation plans. As Rapid7's Tod Beardsley has said: "As it happens, very few websites rely on Java for dynamic content. Java isn't relied on nearly as much as Javascript and Flash. Most people can disable their Java browser plugin and not really notice the difference." Jimmy C Braden Information Security Officer AgriLife Information Technology 979-862-7254 j-braden@tamu.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Gary Flynn Sent: Friday, August 31, 2012 1:00 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released We're starting to push the 1.7.7 patch today for 1.7 systems. We'd planned on starting to migrate most 1.6 users to 1.7 next week and will probably keep to that schedule rather than push the 1.6.35 update unless someone finds a way to quickly exploit 1.6.34. Note that Oracle support for 1.6, including security updates, ends in February. Its already been postponed at least once. Schoenefeld, Keith P. wrote: > Quinn, > > I suspect you know this, but just in case anyone reads over the notes and assumes this vulnerability is in 1.6 as well: > > I would recommend everyone read the release notes and security advisories and evaluate the vulnerability's risk within your environment before burning capital to get software deployed immediately. It'd be hard to argue that 1.7u7 is anything other than a critical vulnerability for systems that may run untrusted java applications or applets, and for those systems the patch should be pushed through whatever fast-path deployment process is in place at your institution. The 1.6u35 patch requires more evaluation in my opinion. > > -- KS > > Keith Schoenefeld > Information Security Analyst > Baylor University > 254-710-6667 > > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Shamblin, Quinn > Sent: Friday, August 31, 2012 11:42 AM > To: SECURITY@LISTSERV.EDUCAUSE.EDU > Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released > > They have a patch for 1.6 as well. (u35) > Java 6 update 35 - http://java.com/en/download/manual_v6.jsp > > Quinn R Shamblin > ---------------------------------------------------------------------------- -------------------- > Executive Director of Information Security, Boston University > CISM, CISSP, GCFA, PMP - O 617-358-6310 M 617-999-7523 > > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanson, Mike > Sent: Friday, August 31, 2012 11:19 AM > To: SECURITY@LISTSERV.EDUCAUSE.EDU > Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released > > Has anyone seen a compromised computer on their campus related to this yet? I am trying to determine how quickly we need to move on this. We are a Banner school and a BlackBoard school and so we are using the 1.6 java version fork because of compatibility issues with 1.7 > > Thank you. > > > > Mike Hanson, CISSP > Network Security Manager > The College of St. Scholastica > Duluth, MN 55811 > >
AttachmentSize
smime.p7s5.83 KB