News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
October 22, 2014, 23:55:50
Pages: 1 2 3 [4] 5   Go Down
  Print  
Topic: Java JRE advisories/updates  (Read 33037 times)
0 Members and 1 Guest are viewing this topic.
« Reply #45 on: June 12, 2012, 10:34:28 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8345



FYI...

Java v7u5 / v6 Update 33 released
- http://www.oracle.com/technetwork/java/javase/downloads/index.html
June 12, 2012

- http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html
"... contains 14 new security fixes for Oracle Java SE. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."

Risk Matrix
- http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html#AppendixJAVA
7 Update 4 and before, 6 Update 32 and before, 5 Update 35 and before, 1.4.2_37 and before. JavaFX 2.1 and before...

Verify:
>> https://www.java.com/en/download/installed.jsp?detect=jre&try=1

Java SE 7u5 JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1637588.html
Changes in 1.7.0_5
- http://www.oracle.com/technetwork/java/javase/7u5-relnotes-1653274.html

Java SE 6 Update 33 JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre6-downloads-1637595.html
Changes in 1.6.0_33
- http://www.oracle.com/technetwork/java/javase/6u33-relnotes-1653258.html
___

URGENT BULLETIN: All E-Business Suite End-Users...
- https://blogs.oracle.com/stevenChan/entry/bulletin_disable_jre_auto_update
Update: June 14, 2012 - "To ensure that Java Users remain on a secure version, Windows systems that rely on auto-update will be auto-updated from JRE 6 to JRE 7. Until EBS is certified with JRE 7, EBS users should -not- rely on the windows auto-update mechanism for their client machines and should -manually- keep the JRE up to date with the latest versions of 6 on an ongoing basis..."

- http://h-online.com/-1618753
15 June 2012
___

- http://www.securitytracker.com/id/1027153
CVE Reference: CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1720, CVE-2012-1721, CVE-2012-1722, CVE-2012-1723, CVE-2012-1724, CVE-2012-1725, CVE-2012-1726
Jun 12 2012
Impact: Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Version(s): 1.4.2_37 and prior, 5.0 Update 35 and prior, 6 Update 32 and prior, 7 Update 4 and prior...

- https://secunia.com/advisories/49472/
Release Date: 2012-06-13
Criticality level: Highly critical
Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote
Original Advisory: Oracle:
http://www.oracle.com/technetwork/topics/security/javacpujun2012verbose-1515971.html

 Exclamation Exclamation
« Last Edit: June 15, 2012, 06:58:36 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #46 on: August 14, 2012, 18:35:16 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8345



FYI...

Java v7u6 / v6u34 released
- http://www.oracle.com/us/corporate/press/1735645
August 14, 2012

- http://www.oracle.com/technetwork/java/javase/downloads/index.html

Java SE 7u6 JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1637588.html
Changes in 1.7.0_6
- http://www.oracle.com/technetwork/java/javase/7u6-relnotes-1729681.html
Bug fixes
- http://www.oracle.com/technetwork/java/javase/2col/7u6-bugfixes-1733378.html

Java SE 6 Update 34 JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre6-downloads-1637595.html
Changes in 1.6.0_34
- http://www.oracle.com/technetwork/java/javase/6u34-relnotes-1729733.html
Bug fixes
- http://www.oracle.com/technetwork/java/javase/2col/6u34-bugfixes-1733379.html

Java 6 EOL extended to February 2013
- https://blogs.oracle.com/henrik/entry/java_6_eol_h_h

Verify: https://www.java.com/en/download/installed.jsp?detect=jre&try=1
___

- http://h-online.com/-1667714
15 August 2012
___

- http://nakedsecurity.sophos.com/2012/08/15/oracle-updates-java-claims-full-and-timely-updates-for-apple-users/
Aug 15, 2012 - "... the latest Java version from Oracle is 7u6, also known as 1.7.0_6. If you don't intend to develop Java programs yourself, stick to the JRE. It's much smaller than the JDK, which reduces what's known in trendy-speak as your attack surface area. That's always a good thing. This new Java version includes a longish list of bugfixes*. These include: a few ominous-sounding ones with more than a whiff of vulnerability about them, such as 7166498 - JVM crash in ClassVerifier; the risky-sounding 7155051 - DNS provider may return incorrect results; and the intriguingly sticky-sounding 7178177 - Debug spewage when applets start up. With that in mind, I suggest you update as soon as practicable."
* http://www.oracle.com/technetwork/java/javase/2col/7u6-bugfixes-1733378.html

 Exclamation
« Last Edit: August 19, 2012, 07:05:29 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #47 on: August 30, 2012, 10:10:46 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8345



FYI...

New critical Java flaw claimed
- http://www.theregister.co.uk/2012/09/26/gowdiak_claims_new_java_flaw/
26 Sep 2012- "Oracle's Java is making a play to wrest back the title of world's leakiest code from Internet Explorer, after Polish researcher Adam Gowdiak claimed another critical flaw exists in the product. The -new- claim is stated on the Full Disclosure mailing list where Gowdiak writes that the newly-found flaw impacts “all latest versions of Oracle Java SE software” and that it allows “a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7.” That's apparently worse than previous exploits, as they only hit Java 7..."
- http://arstechnica.com/security/2012/09/yet-another-java-flaw-allows-complete-bypass-of-security-sandbox/
Sep 25, 2012

Consider disabling Java* in your browser until the next update**.

* https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/

** https://isc.sans.edu/diary.html?storyid=14017

- http://www.oracle.com/technetwork/topics/security/alerts-086861.html
"For Oracle Java SE Critical Patch Updates, the next three dates are:
    16 October 2012
    19 February 2013
    18 June 2013 ..."
___

Java v7u7 / v6u35 released
* http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-verbose-1835710.html
August 30, 2012

Risk Matrix
- http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html#AppendixJAVA
CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, CVE-2012-0547

- http://www.oracle.com/technetwork/java/javase/downloads/index.html

Java SE 7u7 JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre7u7-downloads-1836441.html
Changes in 1.7.0_7
- http://www.oracle.com/technetwork/java/javase/7u7-relnotes-1835816.html
"... Bug fixes: This release contains a security-in-depth fix. For more information, see Oracle Security Alert for CVE-2012-4681*..."
___

Java SE 6 Update 35 JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre6u35-downloads-1836473.html
Changes in 1.6.0_35
- http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html
"... Bug fixes: This release contains a security-in-depth fix. For more information, see Oracle Security Alert for CVE-2012-4681*..."
___

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4681 - 10.0 (HIGH)
Last revised: 09/01/2012 - "... as exploited in the wild in August 2012..."

- https://www.us-cert.gov/current/#oracle_java_jre_1_7
August 31, 2012 - "... US-CERT encourages users and administrators to review the Oracle Security Alert for CVE-2012-4681* and apply any necessary updates to help mitigate the risk."

 Exclamation Exclamation
« Last Edit: September 26, 2012, 05:43:26 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #48 on: October 16, 2012, 11:27:23 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8345



FYI...

Java SE Critical Patch Update Advisory - October 2012
- http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
Oct 16, 2012

Java JRE 7u9 released
- http://www.oracle.com/technetwork/java/javase/downloads/jre7u9-downloads-1859586.html
Oct 16, 2012

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u9-relnotes-1863279.html

Java JRE 6 Update 37
- http://www.oracle.com/technetwork/java/javase/downloads/jre6u37-downloads-1859589.html
Oct 16, 2012

Release Notes
- http://www.oracle.com/technetwork/java/javase/6u37-relnotes-1863283.html

Java - October 2012 Risk Matrices
- http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html#AppendixJAVA
"This Critical Patch Update contains 30 new security fixes for Oracle Java SE. 29 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."

- https://blogs.oracle.com/security/entry/october_2012_critical_patch_update
Oct 16, 2012
___

- http://atlas.arbor.net/briefs/index#1321617866
Severity: High Severity
October 17, 2012
Oracle releases Java security patches that should be applied as soon as possible.
Analysis: Given the damage that has been caused by malware infections and system intrusions caused by vulnerable versions of Java being exploited it is likely that the security holes patched herein will also be used by cyber-criminals, nation-state attackers and others in their quest to compromise systems and pursue a malicious agenda. Limiting the scope of browser-based Java to one specific browser that's only used on trusted applications and also wrapping Java on any Microsoft platform with a technology such as EMET to reduce the risk of future exploitation can help provide additional protection for this widely attacked software.

- http://www.securitytracker.com/id/1027672
CVE Reference: CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4416, CVE-2012-5067, CVE-2012-5068, CVE-2012-5069, CVE-2012-5070, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5074, CVE-2012-5075, CVE-2012-5076, CVE-2012-5077, CVE-2012-5078, CVE-2012-5079, CVE-2012-5080, CVE-2012-5081, CVE-2012-5082, CVE-2012-5083, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5089
Oct 17 2012
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
Version(s): 1.4.2_38 and prior, 5.0 Update 36 and prior, 6 Update 35, 7 Update 7 and prior
Impact: A remote user can take full control of the target system.
A remote user can access and modify data on the target system.
A remote user can cause partial denial of service conditions on the target system.
Solution: The vendor has issued a fix, described in the October 2012 Critical Patch Update advisory.
The vendor's advisory is available at:
http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html

- https://secunia.com/advisories/50949/
Release Date: 2012-10-17
Criticality level: Highly critical
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote
... vulnerabilities are reported in the following products:
* JDK and JRE 7 Update 7 and earlier.
* JDK and JRE 6 Update 35 and earlier.
* JDK and JRE 5.0 Update 36 and earlier.
* SDK and JRE 1.4.2_38 and earlier.
* JavaFX 2.2 and earlier.
Solution: Apply updates.
Original Advisory: Oracle:
http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
___

- http://javatester.org/
Oct 17, 2012 - "... not all known bugs were fixed..."

- http://blogs.computerworld.com/application-security/21173/ugly-side-latest-java-updates
Oct 18, 2012 -"... the ugly stuff. The biggest issue is that Oracle didn't patch all the known problems with Java. As a result, even these latest and greatest editions of Java remain vulnerable to a known critical flaw. Adam Gowdiak is the security researcher who found many of the recent flaws in Java. His last flaw became public knowledge on September 25th. Since the problem was exploitable on Java versions 5, 6 and 7, Gowdiak estimated that it put 1 billion users at risk. A couple security organizations, Heise and Kaspersky, have been in contact with Gowdiak about how well the latest versions of Java patch the flaws he discovered. Gowdiak told Heise Security "that a critical security hole that allows attackers to break out of the Java sandbox continues to exist in Java". He claims that Oracle told him that the just-released package of 30 bug fixes was "already in its final testing phase" when he reported the September 25th flaw. In other words, he was too late to the party. He told Kaspersky the same thing. The flaw that puts a billion users at risk won't be patched until February 19, 2013. This is not to suggest, in any way, ignoring the latest updates to Java. Just recognize that they make you safer (30 bugs were fixed) rather than safe..."

Exclamation Exclamation
« Last Edit: November 16, 2012, 17:28:26 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #49 on: December 11, 2012, 19:38:05 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8345



FYI...

Java 7u10/6u38 released
- http://www.oracle.com/technetwork/java/javase/downloads/index.html
Dec 11, 2012

7u10 Downloads:
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html

Bug Fixes - JDK 7u10
> http://www.oracle.com/technetwork/java/javase/2col/7u10-bugfixes-1881008.html

- http://www.oracle.com/technetwork/java/javase/7u10-relnotes-1880995.html
___

- http://h-online.com/-1770629
17 Dec 2012

> http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html

> http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/jcp.html

- https://krebsonsecurity.com/2012/12/shocking-delay-in-fixing-adobe-shockwave-bug/
Dec 19, 2012 - "... There are bug fixes with these releases, but no official security updates. However, the Java 7 update does include some new functionality designed to make it easier to disable Java in the browser..."
___

6 Update 38 Downloads:
- http://www.oracle.com/technetwork/java/javase/downloads/jre6u38-downloads-1877409.html

Bug Fixes - JDK 6u38
- http://www.oracle.com/technetwork/java/javase/2col/6u38-bugfixes-1880999.html

- http://www.oracle.com/technetwork/java/javase/6u38-relnotes-1880997.html

- http://www.oracle.com/technetwork/java/javase/eol-135779.html
"... After February 2013, Oracle will no longer post updates of Java SE 6 to its public download sites. Existing Java SE 6 downloads already posted as of February 2013 will remain accessible in the Java Archive on Oracle Technology Network. Developers and end-users are encouraged to update to more recent Java SE versions..."

 Exclamation
« Last Edit: December 19, 2012, 19:42:06 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #50 on: January 13, 2013, 16:37:30 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8345



FYI...

Java v7u11 released - Download
- http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
Jan 13, 2013

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html
"... This release contains fixes for security vulnerabilities. For more information, see Oracle Security Alert for CVE-2013-0422*..."
* http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

> http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html#AppendixJAVA
2013-January 13

- https://blogs.oracle.com/security/entry/security_alert_for_cve_2013
Jan 13, 2013 - "... The vulnerabilities addressed with this Security Alert are CVE-2013-0422 and CVE-2012-3174. These vulnerabilities, which only affect Oracle Java 7 versions, are both remotely exploitable without authentication and have received a CVSS Base Score of 10.0. Oracle recommends that this Security Alert be applied as soon as possible because these issues may be exploited “in the wild” and some exploits are available in various hacking tools..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 - 10.0 (HIGH)
"... vulnerability in Oracle Java 7 before Update 11..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3174 - 10.0 (HIGH)
"... vulnerability in Oracle Java 7 before Update 11..."

 Exclamation Exclamation
« Last Edit: January 19, 2013, 04:38:09 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #51 on: February 01, 2013, 12:25:23 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8345



FYI...

Java v7u13 released
- http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
Feb 1, 2013

JRE 7u13
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html

- https://www.java.com/en/download/manual.jsp

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u13-relnotes-1902884.html
This release contains fixes for security vulnerabilities. For more information, see Oracle Java SE Critical Patch Update Advisory*.

* http://www.oracle.com/technetwork/topics/security/javacpufeb2013verbose-1841196.html

- http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html#AppendixJAVA

- https://blogs.oracle.com/security/entry/february_2013_critical_patch_update
Feb 01, 2013 - "... contains fixes for -50- security vulnerabilities. 44 of these vulnerabilities only affect client deployment of Java..."

Oracle Java SE Critical Patch Update Advisory - February 2013
- http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
Note: The original Critical Patch Update for Java SE – February 2013 was scheduled to be released on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update...

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1489 - 10.0 (HIGH)
___

JRE 6u39
- http://www.oracle.com/technetwork/java/javase/downloads/jre6downloads-1902815.html

- http://www.oracle.com/technetwork/java/javase/6u39-relnotes-1902886.html
___

- http://www.securitytracker.com/id/1028071
CVE Reference: CVE-2012-1541, CVE-2012-1543, CVE-2012-3213, CVE-2012-3342, CVE-2012-4301, CVE-2012-4305, CVE-2013-0351, CVE-2013-0409, CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0431, CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0436, CVE-2013-0437, CVE-2013-0438, CVE-2013-0439, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0444, CVE-2013-0445, CVE-2013-0446, CVE-2013-0447, CVE-2013-0448, CVE-2013-0449, CVE-2013-0450, CVE-2013-1472, CVE-2013-1473, CVE-2013-1474, CVE-2013-1475, CVE-2013-1476, CVE-2013-1477, CVE-2013-1478, CVE-2013-1479, CVE-2013-1480, CVE-2013-1481, CVE-2013-1482, CVE-2013-1483, CVE-2013-1489
Feb 1 2013
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.0 Update 38 and prior; 6 Update 38 and prior; 7 Update 11 and prior...
Solution: The vendor has issued a fix as part of the Oracle Java SE Critical Patch Update Advisory for February 2013. The vendor's advisory is available at:
- http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

- http://www.kb.cert.org/vuls/id/858729
Last Updated: 05 Feb 2013
___

- https://blogs.oracle.com/security/entry/updates_to_february_2013_critical#
Update Feb 08, 2013: "... As a result of the accelerated release of the Critical Patch Update, Oracle did not include a small number of fixes initially intended for inclusion in the February 2013 Critical Patch Update for Java SE. Oracle is therefore planning to release an updated version of the February 2013 Critical Patch Update on the initially scheduled date. This updated February 2013 Critical Patch Update will be published on February 19th..."

 Neutral
« Last Edit: February 18, 2013, 02:24:35 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #52 on: February 19, 2013, 12:17:27 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8345



FYI...

- https://secure.dslreports.com/forum/r28039102-
2013-02-23 - "With the last 2 Java updates on my XP box (7_13 & 7_15), I received the offer of a McAfee Security Scan which I declined. The same updates on my Vista box offered the installation of the Ask.com toolbar which I also declined..."

- https://encrypted.google.com/
Tag-along software installs
"... About 35,500,000 results..." < 3.15.2013
___

IBM Java Multiple Vulnerabilities
- https://secunia.com/advisories/52308/
Release Date: 2013-03-01
Criticality level: Highly critical
Impact: Privilege escalation, DoS, System access, Manipulation of data, Exposure of sensitive information
Where: From remote...
Original Advisory: http://www.ibm.com/developerworks/java/jdk/alerts/
___

Java 7u15 released - JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
Feb 19, 2013

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u15-relnotes-1907738.html

JDK
- http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html

Java v7 Update 15
- https://www.java.com/en/download/manual.jsp

Risk Matrix
- http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html#AppendixJAVA

- https://blogs.oracle.com/security/entry/updated_february_2013_critical_patch
Feb 19, 2013
___

Java JRE v6 Update 41
- http://www.oracle.com/technetwork/java/javase/downloads/jre6downloads-1902815.html
___

- http://www.securitytracker.com/id/1028155
CVE Reference: CVE-2013-1484, CVE-2013-1485, CVE-2013-1486, CVE-2013-1487
Feb 19 2013
Impact: Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.4.2_41 and prior, 5.0 Update 39 and prior, 6 Update 39, 7 Update 13 and prior

 Exclamation
« Last Edit: March 15, 2013, 11:38:54 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #53 on: March 04, 2013, 14:30:07 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8345



FYI...

There are a dozen known flaws in Java ...
- http://blogs.computerworld.com/malware-and-vulnerabilities/21883/there-are-dozen-known-flaws-java
March 10, 2013 - "The last time Oracle released a new version of Java was less than a week ago (March 4th). Yet, there are already a dozen known, un-patched bugs in this latest release (Java 7 update 17)..."
___

Java JRE 7u17 released
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
Mar 4, 2013

- http://www.oracle.com/technetwork/java/javase/7u17-relnotes-1915289.html

- https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493
Mar 4, 2013 - "Today Oracle released Security Alert CVE-2013-1493 to address two vulnerabilities affecting Java running in web browsers (CVE-2013-1493 and CVE-2013-0809). One of these vulnerabilities (CVE-2013-1493) has recently been reported as being actively exploited by attackers..."

Risk Matrix
- http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html#AppendixJAVA

JDK 7u17
- http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
___

Java 6 Update 43
- http://www.oracle.com/technetwork/java/javase/downloads/jre6downloads-1902815.html

- https://secunia.com/advisories/52451/
Last Update: 2013-03-05
Criticality level: Extremely critical
Impact: System access
Where: From remote...
CVE Reference(s): CVE-2013-0809, CVE-2013-1493
Solution: Update to a fixed version...
___

- http://seclists.org/fulldisclosure/2013/Mar/38
Mar 4, 2013 - "... 5 -new- security issues were discovered in Java SE 7..."

 Exclamation Exclamation
« Last Edit: March 15, 2013, 11:29:03 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #54 on: April 16, 2013, 12:21:58 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8345



FYI...

- http://www.symantec.com/connect/blogs/java-exploit-cve-2013-2423-coverage
Updated: 26 Apr 2013 - "... this vulnerability is now seen as a high priority... Please be aware of -malware- that masquerades as software updates and patches - only download the patch from the official website."

Current version always shown here:
- https://www.java.com/en/download/manual.jsp
___

Java JRE 7u21
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
April 16, 2013

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u21-relnotes-1932873.html

- https://blogs.oracle.com/security/entry/april_2013_critical_patch_update1
Apr 16, 2013

Oracle Java SE Critical Patch Update Advisory - April 2013
- http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html#AppendixJAVA
April 16, 2013 - "This Critical Patch Update contains 42 new security fixes for Oracle Java SE.  39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."

Recommended Version 7 Update 21
- https://www.java.com/en/download/manual.jsp

- https://krebsonsecurity.com/2013/04/java-update-plugs-42-security-holes/
April 16, 2013 - "... contains 42 new security fixes for Oracle Java SE. A majority of these flaws are browse-to–a-hacked-site-and-get-infected vulnerabilities..."

Java JRE 6 Update 45
- http://www.oracle.com/technetwork/java/javase/downloads/jre6downloads-1902815.html
___

Java 7 Update 21 is available - Watch for Behaviour Changes
- https://isc.sans.edu/diary.html?storyid=15620
2013-04-16 - "... Oracle has significantly changed how Java runs with this version.  Java now requires code signing, and will pop up brightly coloured dialogue boxes if your code is not signed.  They now alert on unsigned, signed-but-expired and self-signed certificates. We'll even need to click "OK" when we try to download and execute signed and trusted Java... graphics you can expect to see once you update are:
> https://isc.sans.edu/diaryimages/images/expired_cert.jpg
> https://isc.sans.edu/diaryimages/images/unsigned_cert.jpg
 Full details on the new run policy can be found here ==>
- https://www.java.com/en/download/help/appsecuritydialogs.xml
And more information can be found here ==>
- http://www.oracle.com/technetwork/java/javase/tech/java-code-signing-1915323.html "

Dangerous defaults let certificates stay unchecked.
- http://www.h-online.com/security/news/item/Java-7-Update-21-closes-security-holes-and-restricts-applets-1843558.html?view=zoom;zoom=2
17 April 2013
___

- http://www.securitytracker.com/id/1028434
CVE Reference: CVE-2013-0401, CVE-2013-0402, CVE-2013-1488, CVE-2013-1491, CVE-2013-1518, CVE-2013-1537, CVE-2013-1540, CVE-2013-1557, CVE-2013-1558, CVE-2013-1561, CVE-2013-1563, CVE-2013-1564, CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, CVE-2013-2394, CVE-2013-2414, CVE-2013-2415, CVE-2013-2416, CVE-2013-2417, CVE-2013-2418, CVE-2013-2419, CVE-2013-2420, CVE-2013-2421, CVE-2013-2422, CVE-2013-2423, CVE-2013-2424, CVE-2013-2425, CVE-2013-2426, CVE-2013-2427, CVE-2013-2428, CVE-2013-2429, CVE-2013-2430, CVE-2013-2431, CVE-2013-2432, CVE-2013-2433, CVE-2013-2434, CVE-2013-2435, CVE-2013-2436, CVE-2013-2438, CVE-2013-2439, CVE-2013-2440
Apr 16 2013
Impact: Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.0 Update 41, 6 Update 43, 7 Update 17; and prior versions...
Solution: The vendor has issued a fix (6 Update 45, 7 Update 21)...
___

- http://www.f-secure.com/weblog/archives/00002544.html
April 23, 2013 - "A few days after Oracle released a critical patch, CVE-2013-2423* is found to (have) already been exploited. Upon checking the history, the exploitation seems to have begun on April 21st and is still actively happening... the Metasploit module was published on the 20th... the exploit was seen in the wild the day after..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2423

 Exclamation
« Last Edit: May 15, 2013, 03:42:30 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #55 on: June 04, 2013, 05:58:51 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8345



FYI...

Java users at risk ...
- http://community.websense.com/blogs/securitylabs/archive/2013/06/04/majority-of-users-still-vulnerable-to-java-exploits.aspx
4 Jun 2013 - "... collecting telemetry... to provide insight into usage of the most recent version of Java... almost 93% of users are still not patched to the most recent version of Java. This leaves the majority of users still vulnerable to the dangers of exploit code already in use in the wild... So 1 month after release, the remaining 92.8% of users remain vulnerable to at least one exploit in the wild... the April 2013 Java Critical Patch Update contained 42 new security fixes, of which 39 may be remotely exploitable without authentication. We saw that on April 20, 2013, to illustrate the danger of just one of these 39 remote execution vulnerabilities, Metasploit published a module to exploit a vulnerability in CVE-2013-2423*. We have observed this particular exploit code incorporated into exploit kits and used in the wild..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2423

Java JRE 7u21
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
April 16, 2013

Recommended Version 7 Update 21
- https://www.java.com/en/download/manual.jsp

- https://krebsonsecurity.com/2013/04/java-update-plugs-42-security-holes/
April 16, 2013 - "... contains 42 new security fixes for Oracle Java SE. A majority of these flaws are browse-to–a-hacked-site-and-get-infected vulnerabilities..."

 Exclamation  Sad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #56 on: June 18, 2013, 11:24:35 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8345



FYI...

Java JRE 7u25
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
June 18, 2013

- http://www.oracle.com/technetwork/java/javase/downloads/index.html

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html

- http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
"... This Critical Patch Update contains 40 new security fixes across Java SE products of which 4 are applicable to server deployments of Java..."

Java SE Risk Matrix
- http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html#AppendixJAVA

- http://www.oracle.com/technetwork/topics/security/javacpujun2013verbose-1899853.html

- https://blogs.oracle.com/security/entry/june_2013_critical_patch_update
Jun 18, 2013

Recommended Version 7 Update 25
- https://www.java.com/en/download/manual.jsp
___

- http://www.securitytracker.com/id/1028679
CVE Reference:  CVE-2013-1500, CVE-2013-1571, CVE-2013-2400, CVE-2013-2407, CVE-2013-2412, CVE-2013-2437, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444, CVE-2013-2445, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2449, CVE-2013-2450, CVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457, CVE-2013-2458, CVE-2013-2459, CVE-2013-2460, CVE-2013-2461, CVE-2013-2462, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2467, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-3743, CVE-2013-3744
Jun 18 2013
Impact: Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, Root access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.0 Update 45, 6 Update 45, 7 Update 21; and prior versions ...
Solution: The vendor has issued a fix (7 Update 25).

- https://secunia.com/advisories/53846/
Release Date: 2013-06-19
Criticality level: Highly critical
Impact: Spoofing, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access
Where: From remote  
... vulnerabilities are reported in the following products:
* JDK and JRE 7 Update 21 and prior
* JDK and JRE 6 Update 45 and prior
* JDK and JRE 5 Update 45 and prior
Solution: Apply updates...
___

Less Than 1 Percent Of Enterprises Run Newest Version Of Java
Most businesses have multiple, outdated versions of the app on their endpoints, new report finds
- http://www.darkreading.com/vulnerability/write-once-pwn-anywhere-less-than-1-per/240158496?printer_friendly=this-page
July 18, 2013 - "... More than 90 percent of organizations are running a version of Java that's at least five years old, and 82 percent of endpoints run Java version 6, according to a new report by Bit9 that investigated Java installations in the enterprise. There are an average of 1.6 versions of Java on every endpoint, and nearly half of all endpoints have more than two versions of the application. Fewer than 1 percent run the newest version of Java: version 7 Update 25, Bit9 found... why don't enterprises merely purge older versions of Java? It's the old legacy application problem. Applications that are tied to a specific version of Java could lose functionality if only the new version of Java were running..."

 Exclamation
« Last Edit: July 19, 2013, 12:16:45 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #57 on: August 27, 2013, 07:49:41 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8345



FYI...

Java 6 0-Day exploit-in-the-wild
- https://community.qualys.com/blogs/laws-of-vulnerabilities/2013/08/26/java-6-0-day-exploit-in-the-wild
Aug 26, 2013 - "CVE-2013-2463 is a vulnerability in the Java 2D subcomponent, that was addressed by Oracle in the June 2013 Critical Patch Update for Java 7. Java 6 (including the latest u45) has the same vulnerability, as Oracle acknowledges in the CPU, but since Java 6 has become unsupported as of its End-of-Life in April 2013, there is no patch for the vulnerability... this time, things have become a bit more serious. As Matthew Schwartz reports in Informationweek*, F-Secure has seen exploits for this vulnerability in Java 6 in the wild. Further they have seen it included in the Neutrino exploit kit, which guarantees that it will find widespread adoption. In addition, we still see very high rates of Java 6 installed (a bit over 50%), which means many organizations are vulnerable..."
* https://www.informationweek.com/security/vulnerabilities/hackers-target-java-6-with-security-expl/240160443

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2463 - 10.0 (HIGH)
___

- https://community.qualys.com/blogs/laws-of-vulnerabilities/2013/08/26/java-6-0-day-exploit-in-the-wild
Comments: "... OpenJDK 6 remains supported and actively patched for security flaws. An OpenJDK 6 patch for CVE-2013-2463 is available":
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-July/023941.html
___

- http://blog.trendmicro.com/trendlabs-security-intelligence/java-native-layer-exploits-going-up/
Aug 28, 2013 - "... We urge users to carefully evaluate their usage of Java is necessary and ensure that copies of Java that are used are updated, to reduce exposure to present and future Java flaws."
___

- http://krebsonsecurity.com/2013/09/researchers-oracles-java-security-fails/
4 Sep 2013
* http://krebsonsecurity.com/wp-content/uploads/2013/09/javaprompt.png

- https://www.cert.org/blogs/certcc/2013/04/dont_sign_that_applet.html

- http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/

 Exclamation
« Last Edit: September 04, 2013, 04:03:35 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #58 on: September 11, 2013, 03:00:49 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8345



FYI...

Java JRE 7u40 released
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
Sep 10, 2013

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u40-relnotes-2004172.html

Bug Fixes
- http://www.oracle.com/technetwork/java/javase/2col/7u40-bugfixes-2007733.html

Recommended Version 7 Update 40
- https://www.java.com/en/download/manual.jsp

- https://blogs.oracle.com/java/entry/java_se_7_update_40

 Exclamation
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #59 on: October 15, 2013, 12:11:56 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8345



FYI...

Java JRE 7u45 released
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html

- http://www.oracle.com/technetwork/java/javase/downloads/index.html
"This release includes important security fixes. Oracle strongly recommends that all Java SE 7 users upgrade to this release..."

- https://blogs.oracle.com/java/entry/java_se_7_update_45
Oct 15, 2013

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u45-relnotes-2016950.html

Recommended Version 7 Update 45
- https://www.java.com/en/download/manual.jsp

- http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html#AppendixJAVA
"This Critical Patch Update contains -51- new security fixes for Oracle Java SE. 50 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."

- https://secunia.com/advisories/55315/
Release Date: 2013-10-16
Criticality: Highly Critical
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
Solution Status: Vendor Patch
CVE Reference(s): CVE-2013-3829, CVE-2013-4002, CVE-2013-5772, CVE-2013-5774, CVE-2013-5775, CVE-2013-5776, CVE-2013-5777, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5788, CVE-2013-5789, CVE-2013-5790, CVE-2013-5797, CVE-2013-5800, CVE-2013-5801, CVE-2013-5802, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5805, CVE-2013-5806, CVE-2013-5809, CVE-2013-5810, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5838, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5844, CVE-2013-5846, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5851, CVE-2013-5852, CVE-2013-5854
Original Advisory: Oracle:
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html#AppendixJAVA
http://www.oracle.com/technetwork/topics/security/cpuoct2013verbose-1899842.html#JAVA
___

- http://krebsonsecurity.com/2013/10/java-update-plugs-51-security-holes/
Oct. 16, 2013 - "... seriously consider removing Java altogether.  I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants..."
___

- https://isc.sans.edu/diary.html?storyid=16811
Last Updated: 2013-10-15 20:17:01 UTC - "... Oracle is now on a quarterly update schedule, starting with this version. Going forward, expect regular updates to be released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
    14 January 2014
    15 April 2014
    15 July 2014
    14 October 2014 ..."

 Exclamation
« Last Edit: October 16, 2013, 08:16:10 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
 
Pages: 1 2 3 [4] 5   Go Up
  Print  
 
Jump to:  

Powered by SMF 1.1.20 | SMF © 2013, Simple Machines Page created in 0.783 seconds with 20 queries.