Says Oracle: This Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability) and another vulnerability affecting Java running in web browsers. These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software.
The fixes in this Alert include a change to the default Java Security Level setting from "Medium" to "High". With the "High" setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run.
These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.
Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2013-0422 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
Check it here: CVE-2013-0422
Original Story:
A huge security exploit was discovered for Java versions 4 through 7 earlier this week, prompting the U.S. Department of Homeland Security to recommend users block the browser plug-in until Oracle can patch it.
Instead of giving users the choice, Apple has gone the safe route, blocking the plug-in from within Mac OS X.
The vulnerability allows remote installation of malware such as keyloggers and software that could turn your PC into a zombie for a botnet.
"We are currently unaware of a practical solution to this problem," said Homeland Security's Computer Emergency Readiness Team (CERT). "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."
Apple was able to block the plug-in by updating its "Xprotect.plist" blacklist "to require a minimum of 1.7.0_10-b19 version of Java 7," which is set for release in a few weeks. All other versions fail the anti-malware checks of the OS.
Written by: Andre Yoskowitz @ 14 Jan 2013 22:38
