Main Nav

Message from j-braden@tamu.edu

http://isc.sans.edu/diary/Not+so+fast+Java+7+Update+7+critical+vulnerabi... +discovered+in+less+than+24+hours/14017 Polish security firm Security Explorations has sent an advisory, with a proof-of-concept exploit, to Oracle today (Friday 31 AUG) specific to a vulnerability they discovered in the Java 7 security update released Thursday. This newly reported vulnerability can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system. Standby for more on this one, no word yet from Oracle regarding their remediation plans. As Rapid7's Tod Beardsley has said: "As it happens, very few websites rely on Java for dynamic content. Java isn't relied on nearly as much as Javascript and Flash. Most people can disable their Java browser plugin and not really notice the difference." Jimmy C Braden Information Security Officer AgriLife Information Technology 979-862-7254 j-braden@tamu.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Gary Flynn Sent: Friday, August 31, 2012 1:00 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released We're starting to push the 1.7.7 patch today for 1.7 systems. We'd planned on starting to migrate most 1.6 users to 1.7 next week and will probably keep to that schedule rather than push the 1.6.35 update unless someone finds a way to quickly exploit 1.6.34. Note that Oracle support for 1.6, including security updates, ends in February. Its already been postponed at least once. Schoenefeld, Keith P. wrote: > Quinn, > > I suspect you know this, but just in case anyone reads over the notes and assumes this vulnerability is in 1.6 as well: > > I would recommend everyone read the release notes and security advisories and evaluate the vulnerability's risk within your environment before burning capital to get software deployed immediately. It'd be hard to argue that 1.7u7 is anything other than a critical vulnerability for systems that may run untrusted java applications or applets, and for those systems the patch should be pushed through whatever fast-path deployment process is in place at your institution. The 1.6u35 patch requires more evaluation in my opinion. > > -- KS > > Keith Schoenefeld > Information Security Analyst > Baylor University > 254-710-6667 > > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Shamblin, Quinn > Sent: Friday, August 31, 2012 11:42 AM > To: SECURITY@LISTSERV.EDUCAUSE.EDU > Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released > > They have a patch for 1.6 as well. (u35) > Java 6 update 35 - http://java.com/en/download/manual_v6.jsp > > Quinn R Shamblin > ---------------------------------------------------------------------------- -------------------- > Executive Director of Information Security, Boston University > CISM, CISSP, GCFA, PMP - O 617-358-6310 M 617-999-7523 > > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanson, Mike > Sent: Friday, August 31, 2012 11:19 AM > To: SECURITY@LISTSERV.EDUCAUSE.EDU > Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released > > Has anyone seen a compromised computer on their campus related to this yet? I am trying to determine how quickly we need to move on this. We are a Banner school and a BlackBoard school and so we are using the 1.6 java version fork because of compatibility issues with 1.7 > > Thank you. > > > > Mike Hanson, CISSP > Network Security Manager > The College of St. Scholastica > Duluth, MN 55811 > >
AttachmentSize
smime.p7s5.83 KB
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.