Main Nav

Message from j-braden@tamu.edu

Oracle just released version 1.7.07 of Java.  In theory, it addresses the zero day vulnerability

 

http://java.com/en/download/index.jsp

Download Java for your desktop computer now!

Version 7 Update 7

 

http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html

Oracle Security Alert for CVE-2012-4681

 

Description

This Security Alert addresses security issues CVE-2012-4681 (US-CERT Alert TA12-240A) and two other vulnerabilities affecting Java running in web browsers on desktops. These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle server-based software.

These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.

In addition, this Security Alert includes a security-in-depth fix in the AWT subcomponent of the Java Runtime Environment.

Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Supported Products Affected

Security vulnerabilities addressed by this Security Alert affect the products listed in the categories below.  Please click on the link in the Patch Availability column or in the Patch Availability Table to access the documentation for those patches.

 

 

Jimmy C Braden

Information Security Officer

AgriLife Information Technology

979-862-7254

j-braden@tamu.edu

 

AttachmentSize
smime.p7s5.83 KB

Comments

Has anyone seen a compromised computer on their campus related to this yet? I am trying to determine how quickly we need to move on this. We are a Banner school and a BlackBoard school and so we are using the 1.6 java version fork because of compatibility issues with 1.7

Thank you.



Mike Hanson, CISSP
Network Security Manager
The College of St. Scholastica
Duluth, MN 55811



They have a patch for 1.6 as well. (u35)

Java 6 update 35 – http://java.com/en/download/manual_v6.jsp

 

Quinn R Shamblin
------------------------------------------------------------------------------------------------
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  –  O 617-358-6310  M 617-999-7523

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanson, Mike
Sent: Friday, August 31, 2012 11:19 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released

 

Has anyone seen a compromised computer on their campus related to this yet? I am trying to determine how quickly we need to move on this. We are a Banner school and a BlackBoard school and so we are using the 1.6 java version fork because of compatibility issues with 1.7

 

Thank you.

 



Mike Hanson, CISSP
Network Security Manager
The College of St. Scholastica
Duluth, MN 55811


And to be clear, the exploit was against vulnerabilities NOT present in the 1.6 jre. --- original message --- From: "Shamblin, Quinn" <qrs@BU.EDU> Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released Date: August 31, 2012 Time: 11:42:37

They have a patch for 1.6 as well. (u35)

Java 6 update 35 – http://java.com/en/download/manual_v6.jsp

 

Quinn R Shamblin
------------------------------------------------------------------------------------------------
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  –  O 617-358-6310  M 617-999-7523

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanson, Mike
Sent: Friday, August 31, 2012 11:19 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released

 

Has anyone seen a compromised computer on their campus related to this yet? I am trying to determine how quickly we need to move on this. We are a Banner school and a BlackBoard school and so we are using the 1.6 java version fork because of compatibility issues with 1.7

 

Thank you.

 



Mike Hanson, CISSP
Network Security Manager
The College of St. Scholastica
Duluth, MN 55811


Quinn,

 

I suspect you know this, but just in case anyone reads over the notes and assumes this vulnerability is in 1.6 as well:

 

I would recommend everyone read the release notes and security advisories and evaluate the vulnerability’s risk within your environment before burning capital to get software deployed immediately.  It’d be hard to argue that 1.7u7 is anything other than a critical vulnerability for systems that may run untrusted java applications or applets, and for those systems the patch should be pushed through whatever fast-path deployment process is in place at your institution.  The 1.6u35 patch requires more evaluation in my opinion.

 

-- KS

 

Keith Schoenefeld

Information Security Analyst

Baylor University

254-710-6667

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Shamblin, Quinn
Sent: Friday, August 31, 2012 11:42 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released

 

They have a patch for 1.6 as well. (u35)

Java 6 update 35 – http://java.com/en/download/manual_v6.jsp

 

Quinn R Shamblin
------------------------------------------------------------------------------------------------
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  –  O 617-358-6310  M 617-999-7523

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanson, Mike
Sent: Friday, August 31, 2012 11:19 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released

 

Has anyone seen a compromised computer on their campus related to this yet? I am trying to determine how quickly we need to move on this. We are a Banner school and a BlackBoard school and so we are using the 1.6 java version fork because of compatibility issues with 1.7

 

Thank you.

 



Mike Hanson, CISSP
Network Security Manager
The College of St. Scholastica
Duluth, MN 55811

Thanks all for the input. 

According to Oracle 

Oracle Security Alert for CVE-2012-4681
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html


Patch for the Java JRE 1.7 vulnerability.

"Due to the severity of these vulnerabilities, the public disclosure
of technical details and the reported exploitation of CVE-2012-4681
"in the wild," Oracle strongly recommends that customers apply the
updates provided by this Security Alert as soon as possible."

The patch "includes a security-in-depth fix in the AWT subcomponent
of the Java Runtime Environment" that is applicable to JDK and JRE 6
Update 34 and before, in addition to JDK and JRE 7 Update 6 and
before.

So it appears maybe there is more time to evaluate the patch for 6. 

Mike

We're starting to push the 1.7.7 patch today for 1.7 systems. We'd planned on starting to migrate most 1.6 users to 1.7 next week and will probably keep to that schedule rather than push the 1.6.35 update unless someone finds a way to quickly exploit 1.6.34. Note that Oracle support for 1.6, including security updates, ends in February. Its already been postponed at least once. Schoenefeld, Keith P. wrote: > Quinn, > > I suspect you know this, but just in case anyone reads over the notes and assumes this vulnerability is in 1.6 as well: > > I would recommend everyone read the release notes and security advisories and evaluate the vulnerability's risk within your environment before burning capital to get software deployed immediately. It'd be hard to argue that 1.7u7 is anything other than a critical vulnerability for systems that may run untrusted java applications or applets, and for those systems the patch should be pushed through whatever fast-path deployment process is in place at your institution. The 1.6u35 patch requires more evaluation in my opinion. > > -- KS > > Keith Schoenefeld > Information Security Analyst > Baylor University > 254-710-6667 > > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Shamblin, Quinn > Sent: Friday, August 31, 2012 11:42 AM > To: SECURITY@LISTSERV.EDUCAUSE.EDU > Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released > > They have a patch for 1.6 as well. (u35) > Java 6 update 35 - http://java.com/en/download/manual_v6.jsp > > Quinn R Shamblin > ------------------------------------------------------------------------------------------------ > Executive Director of Information Security, Boston University > CISM, CISSP, GCFA, PMP - O 617-358-6310 M 617-999-7523 > > From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanson, Mike > Sent: Friday, August 31, 2012 11:19 AM > To: SECURITY@LISTSERV.EDUCAUSE.EDU > Subject: Re: [SECURITY] Java 7 Security Manager Bypass Vulnerability - Java 1.7.07 just released > > Has anyone seen a compromised computer on their campus related to this yet? I am trying to determine how quickly we need to move on this. We are a Banner school and a BlackBoard school and so we are using the 1.6 java version fork because of compatibility issues with 1.7 > > Thank you. > > > > Mike Hanson, CISSP > Network Security Manager > The College of St. Scholastica > Duluth, MN 55811 > >
Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.