Java Vulnerability Blog, from Tivoli AVP
laksri 110000GHNT 565 Views
Please Visit https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us
A new Java zero-day vulnerability, CVE-2013-0422, was publicly reported on January 10, 2013. Details about this issue are available in a Vulnerability Note published by CERT/CC Carnegie Mellon and also available in Alert (TA13-010A) published by the United States Computer Emergency Readiness Team (US-CERT).This vulnerability can only be exploited as ... [ + Read more ]
It has all product related alerts also..
laksri 110000GHNT 596 Views
Less than 24 hours after Oracle patched a dangerous security hole in its Javasoftware that was being used to seize control over Windows PCs, miscreants in the Underweb were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java, KrebsOnSecurity has learned...
laksri 110000GHNT 603 Views
Researchers from the Polish firm Security Explorations have identified a serious vulnerability in the latest version of Java that completely bypasses the new security level Oracle recently introduced for Java applets. Coupled with the two other vulnerabilities discovered by the same firm less than two weeks ago, Java users are once again as vulnerable as they were before the latest update.
Some background is required. As we noted when Java 7 Update 11 was released, Oracle changed the default Java Security Level setting from Medium to High, meaning the user is now always prompted before any unsigned Java applet or Java Web Start application is run. This is to prevent drive-by-downloads, as Oracle explains:
When the last two Java vulnerabilities were discovered, Security Explorations CEO Adam Gowdiak told us that the new protective layer, available only on Microsoft’s operating system, was working as expected. Yet Gowdiak recently discovered a way to circumvent the protection, according to a Full Disclosure post he made last night:
From : http://thenextweb.com/insider/2013/01/28/new-vulnerability-bypasses-oracles-attempt-to-stop-malware-drive-by-downloads-via-java-applets/
laksri 110000GHNT 718 Views
IBM Security Network Intrusion Prevention System did have 2 "Ahead-of-the-Threat" signatures that provided protection to our IBM Network IPS customers. As well, we are releasing today XPU 33.011 and 2842 with 2 additional signatures that will provide (specific) coverage of this known exploit.* More information on these Express Updates can be found at: http://www.iss.net/threats/459.html
laksri 110000GHNT 767 Views
As we had warned of few but critical vulnerabilities in the last few weeks, we that now Oracle has responded ..
==== from http://thenextweb.com/apps/2013/02/01/oracle-pushes-java-7-update-13-out-early-after-one-of-50-vulnerabilities-addressed-is-exploited-in-the-wild/ ====
Just a day after news broke that Apple had blocked Java for the second time this month, Oracle on Friday announced the release of Java 7 Update 13 to address 50 vulnerabilities. The patch comes more than two weeks early (the February 2013 Critical Patch was originally scheduled for February 19), but it was rushed out because Oracle was notified of “active exploitation in the wild of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers.”
Oracle says after it received reports of a vulnerability in JRE, it quickly confirmed it and then proceeded with “accelerating normal release testing” for the regular Java update, which it says already contained a fix for the issue. “Oracle felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers,” the company said.
Oddly, the last update was number 11, and it’s not immediately clear what happened to the twelfth (Update: as pointed out in the comments, security updates are odd numbers). Nevertheless, if you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle’s website here: Java SE 7u13.
laksri 110000GHNT 818 Views
Oracle has just released Security Alert CVE-2012-0422 to address two vulnerabilities affecting Java in web browsers. These vulnerabilities do not affect Java on servers, Java desktop applications, or embedded Java. The vulnerabilities addressed with this Security Alert are CVE-2013-0422 and CVE-2012-3174. These vulnerabilities, which only affect Oracle Java 7 versions, are both remotely exploitable without authentication and have received a CVSS Base Score of 10.0. Oracle recommends that this Security Alert be applied as soon as possible because these issues may be exploited “in the wild” and some exploits are available in various hacking tools.
The exploit conditions for these vulnerabilities are the same. To be successfully exploited, an attacker needs to trick an unsuspecting user into browsing a malicious website. The execution of the malicious applet within the browser of the unsuspecting users then allows the attacker to execute arbitrary code in the vulnerable system. These vulnerabilities are applicable only to Java in web browsers because they are exploitable through malicious browser applets.
With this Security Alert, and in addition to the fixes for CVE-2013-0422 and CVE-2012-3174, Oracle is switching Java security settings to “high” by default. The high security setting requires users to expressly authorize the execution of applets which are either unsigned or are self-signed. As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet. Note also that Java SE 7 Update 10 introduced the ability for users to easily disable Java in their browsers through the Java Control Panel.
laksri 110000GHNT 913 Views
Because you might be getting pinged by IBM customers on this, I wanted to share some details.
1. IBM Products that Ship only IBM JRE
A new Java zero-day vulnerability, CVE-2013-0422, was publicly reported on January 10, 2013.
Details about this issue are available in a Vulnerability Note published by CERT/CC Carnegie Mellon (see http://www.kb.cert.org/vuls/id/625617). This vulnerability can only be exploited as a Client-Side attack specifically targeting the browser software located on a user's desktop. For more information about Client-Side attacks see “Client-Side Attacks: An Overview” (http://books.google.com/books?id=izHrTu3dxAYC&lpg=PP1&pg=PA1#v=onepage&q&f=false).
The IBM Hursley Java team has acquired the exploit code (note that the source code for the exploit calls itself the
Java "EveryDay" exploit), used it to test the IBM JDK, and confirmed that the IBM JDK is not vulnerable
to this exploit. Thus the IBM Java Development team has confirmed that the IBM Software Development Kit (SDK) and
IBM Java Runtime Environment (JRE) are not vulnerable to this exploit. So our customers can continue to run the
IBM JRE with confidence and the link to the official statement is attached below
2. IBM products that ship the Oracle JRE may be vulnerable to this exploit if the Oracle JRE plug-in is being used by
a web browser such as Internet Explorer, Chrome, Firefox, etcetera. In such cases, there is no fix available, but
Read the article and links in them on how to "Disable Java on IE with the Windows Registry Wizard"
3. IBM customers using Award winning Patch Management provided by Tivoli Endpoint Manager (TEM)
Content in the Updates for Windows Applications Fixlet site has been modified and JRE fixlets for Mac OS X as well.
You can review the information provided below to understand how rapidly all enterprise vulnerabilities can be closed.
If you have further questions please contact me.
laksri 110000GHNT 915 Views
From Respected Security Research - http://seclists.org/fulldisclosure/2013/Jan/142
From: Security Explorations <contact () security-explorations com>
Date: Fri, 18 Jan 2013 15:00:31 +0100
Hello All, This post might be interesting for those concerned about the state of Oracle's Java SE security. We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11  (JRE version 1.7.0_11-b21). MBeanInstantiator bug (or rather a lack of a fix for it ) turned out to be quite inspirational for us. However, instead of relying on this particular bug, we have decided to dig our own issues. As a result, two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today  (along with a working Proof of Concept code). Thank you. Best Regards Adam Gowdiak --------------------------------------------- Security Explorations
laksri 110000GHNT 1,155 Views
[some From http://www.kb.cert.org/vuls/id/625617]
Disabling Java in Browsers (all your browsers on the Systems you use) - Quick TIP
• In Firefox, select "Tools" from the main menu, then "Add-ons," then click the "Disable" button next to any Java plug-ins.
• In Safari, click "Safari" in the main menu bar, then "Preferences," then select the "Security" tab and uncheck the button next to "Enable Java."
• In Chrome, type or copy "Chrome://Plugins" into your browser's address bar, then click the "Disable" button below any Java plug-ins.
• In Internet Explorer, follow these instructions (http://www.java.com/en/download/help/disable_browser.xml)
for disabling Java in all browsers via the Control Panel. There is no way to completely disable Java specifically in IE.