Main Nav

Message from j-braden@tamu.edu

Oracle just released version 1.7.07 of Java.  In theory, it addresses the zero day vulnerability

 

http://java.com/en/download/index.jsp

Download Java for your desktop computer now!

Version 7 Update 7

 

http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html

Oracle Security Alert for CVE-2012-4681

 

Description

This Security Alert addresses security issues CVE-2012-4681 (US-CERT Alert TA12-240A) and two other vulnerabilities affecting Java running in web browsers on desktops. These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle server-based software.

These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.

In addition, this Security Alert includes a security-in-depth fix in the AWT subcomponent of the Java Runtime Environment.

Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Supported Products Affected

Security vulnerabilities addressed by this Security Alert affect the products listed in the categories below.  Please click on the link in the Patch Availability column or in the Patch Availability Table to access the documentation for those patches.

 

 

Jimmy C Braden

Information Security Officer

AgriLife Information Technology

979-862-7254

j-braden@tamu.edu

 

AttachmentSize
smime.p7s5.83 KB

Comments

Has anyone seen a compromised computer on their campus related to this yet? I am trying to determine how quickly we need to move on this. We are a Banner school and a BlackBoard school and so we are using the 1.6 java version fork because of compatibility issues with 1.7

Thank you.



Mike Hanson, CISSP
Network Security Manager
The College of St. Scholastica
Duluth, MN 55811



They have a patch for 1.6 as well. (u35)

Java 6 update 35 – http://java.com/en/download/manual_v6.jsp

 

Quinn R Shamblin
------------------------------------------------------------------------------------------------
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  –  O 617-358-6310  M 617-999-7523

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanson, Mike
Sent: Friday, August 31, 2012 11:19 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released

 

Has anyone seen a compromised computer on their campus related to this yet? I am trying to determine how quickly we need to move on this. We are a Banner school and a BlackBoard school and so we are using the 1.6 java version fork because of compatibility issues with 1.7

 

Thank you.

 



Mike Hanson, CISSP
Network Security Manager
The College of St. Scholastica
Duluth, MN 55811


And to be clear, the exploit was against vulnerabilities NOT present in the 1.6 jre. --- original message --- From: "Shamblin, Quinn" <qrs@BU.EDU> Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released Date: August 31, 2012 Time: 11:42:37

They have a patch for 1.6 as well. (u35)

Java 6 update 35 – http://java.com/en/download/manual_v6.jsp

 

Quinn R Shamblin
------------------------------------------------------------------------------------------------
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  –  O 617-358-6310  M 617-999-7523

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanson, Mike
Sent: Friday, August 31, 2012 11:19 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released

 

Has anyone seen a compromised computer on their campus related to this yet? I am trying to determine how quickly we need to move on this. We are a Banner school and a BlackBoard school and so we are using the 1.6 java version fork because of compatibility issues with 1.7

 

Thank you.

 



Mike Hanson, CISSP
Network Security Manager
The College of St. Scholastica
Duluth, MN 55811


Quinn,

 

I suspect you know this, but just in case anyone reads over the notes and assumes this vulnerability is in 1.6 as well:

 

I would recommend everyone read the release notes and security advisories and evaluate the vulnerability’s risk within your environment before burning capital to get software deployed immediately.  It’d be hard to argue that 1.7u7 is anything other than a critical vulnerability for systems that may run untrusted java applications or applets, and for those systems the patch should be pushed through whatever fast-path deployment process is in place at your institution.  The 1.6u35 patch requires more evaluation in my opinion.

 

-- KS

 

Keith Schoenefeld

Information Security Analyst

Baylor University

254-710-6667

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Shamblin, Quinn
Sent: Friday, August 31, 2012 11:42 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released

 

They have a patch for 1.6 as well. (u35)

Java 6 update 35 – http://java.com/en/download/manual_v6.jsp

 

Quinn R Shamblin
------------------------------------------------------------------------------------------------
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  –  O 617-358-6310  M 617-999-7523

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanson, Mike
Sent: Friday, August 31, 2012 11:19 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released

 

Has anyone seen a compromised computer on their campus related to this yet? I am trying to determine how quickly we need to move on this. We are a Banner school and a BlackBoard school and so we are using the 1.6 java version fork because of compatibility issues with 1.7

 

Thank you.

 



Mike Hanson, CISSP
Network Security Manager
The College of St. Scholastica
Duluth, MN 55811

Thanks all for the input. 

According to Oracle 

Oracle Security Alert for CVE-2012-4681
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html


Patch for the Java JRE 1.7 vulnerability.

"Due to the severity of these vulnerabilities, the public disclosure
of technical details and the reported exploitation of CVE-2012-4681
"in the wild," Oracle strongly recommends that customers apply the
updates provided by this Security Alert as soon as possible."

The patch "includes a security-in-depth fix in the AWT subcomponent
of the Java Runtime Environment" that is applicable to JDK and JRE 6
Update 34 and before, in addition to JDK and JRE 7 Update 6 and
before.

So it appears maybe there is more time to evaluate the patch for 6. 

Mike

We're starting to push the 1.7.7 patch today for 1.7 systems. We'd planned on starting to migrate most 1.6 users to 1.7 next week and will probably keep to that schedule rather than push the 1.6.35 update unless someone finds a way to quickly exploit 1.6.34. Note that Oracle support for 1.6, including security updates, ends in February. Its already been postponed at least once. Schoenefeld, Keith P. wrote: > Quinn, > > I suspect you know this, but just in case anyone reads over the notes and assumes this vulnerability is in 1.6 as well: > > I would recommend everyone read the release notes and security advisories and evaluate the vulnerability's risk within your environment before burning capital to get software deployed immediately. It'd be hard to argue that 1.7u7 is anything other than a critical vulnerability for systems that may run untrusted java applications or applets, and for those systems the patch should be pushed through whatever fast-path deployment process is in place at your institution. The 1.6u35 patch requires more evaluation in my opinion. > > -- KS > > Keith Schoenefeld > Information Security Analyst > Baylor University > 254-710-6667 > > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Shamblin, Quinn > Sent: Friday, August 31, 2012 11:42 AM > To: SECURITY@LISTSERV.EDUCAUSE.EDU > Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released > > They have a patch for 1.6 as well. (u35) > Java 6 update 35 - http://java.com/en/download/manual_v6.jsp > > Quinn R Shamblin > ------------------------------------------------------------------------------------------------ > Executive Director of Information Security, Boston University > CISM, CISSP, GCFA, PMP - O 617-358-6310 M 617-999-7523 > > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanson, Mike > Sent: Friday, August 31, 2012 11:19 AM > To: SECURITY@LISTSERV.EDUCAUSE.EDU > Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released > > Has anyone seen a compromised computer on their campus related to this yet? I am trying to determine how quickly we need to move on this. We are a Banner school and a BlackBoard school and so we are using the 1.6 java version fork because of compatibility issues with 1.7 > > Thank you. > > > > Mike Hanson, CISSP > Network Security Manager > The College of St. Scholastica > Duluth, MN 55811 > >