FYI...Java SE Critical Patch Update Advisory - October 2012
Oct 16, 2012Java JRE 7u9 released
Oct 16, 2012
- http://www.oracle.com/technetwork/java/javase/7u9-relnotes-1863279.htmlJava JRE 6 Update 37
Oct 16, 2012
- http://www.oracle.com/technetwork/java/javase/6u37-relnotes-1863283.htmlJava - October 2012 Risk Matrices
"This Critical Patch Update contains 30 new security fixes for Oracle Java SE
. 29 of these vulnerabilities may be remotely exploitable without authentication
, i.e., may be exploited over a network without the need for a username and password..."
Oct 16, 2012
Severity: High Severity
October 17, 2012
Oracle releases Java security patches that should be applied as soon as possible
.Analysis: Given the damage that has been caused by malware infections and system intrusions caused by vulnerable versions of Java being exploited it is likely that the security holes patched herein will also be used by cyber-criminals, nation-state attackers and others in their quest to compromise systems and pursue a malicious agenda. Limiting the scope of browser-based Java to one specific browser that's only used on trusted applications and also wrapping Java on any Microsoft platform with a technology such as EMET to reduce the risk of future exploitation can help provide additional protection for this widely attacked software.
CVE Reference: CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4416, CVE-2012-5067, CVE-2012-5068, CVE-2012-5069, CVE-2012-5070, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5074, CVE-2012-5075, CVE-2012-5076, CVE-2012-5077, CVE-2012-5078, CVE-2012-5079, CVE-2012-5080, CVE-2012-5081, CVE-2012-5082, CVE-2012-5083, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5089
Oct 17 2012
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
Version(s): 1.4.2_38 and prior, 5.0 Update 36 and prior, 6 Update 35, 7 Update 7 and prior
Impact: A remote user can take full control of the target system.
A remote user can access and modify data on the target system.
A remote user can cause partial denial of service conditions on the target system.
Solution: The vendor has issued a fix, described in the October 2012 Critical Patch Update advisory.
The vendor's advisory is available at:http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
Release Date: 2012-10-17
Criticality level: Highly critical
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote
... vulnerabilities are reported in the following products:
* JDK and JRE 7 Update 7 and earlier.
* JDK and JRE 6 Update 35 and earlier.
* JDK and JRE 5.0 Update 36 and earlier.
* SDK and JRE 1.4.2_38 and earlier.
* JavaFX 2.2 and earlier.
Solution: Apply updates.
Original Advisory: Oracle:http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html
Oct 17, 2012 - "... not all known bugs were fixed..."
Oct 18, 2012 -"... the ugly stuff
. The biggest issue is that Oracle didn't patch all the known problems with Java. As a result, even these latest and greatest editions of Java remain vulnerable to a known critical flaw. Adam Gowdiak is the security researcher who found many of the recent flaws in Java. His last flaw became public knowledge on September 25th. Since the problem was exploitable on Java versions 5, 6 and 7, Gowdiak estimated that it put 1 billion users at risk. A couple security organizations, Heise and Kaspersky, have been in contact with Gowdiak about how well the latest versions of Java patch the flaws he discovered. Gowdiak told Heise Security "that a critical security hole that allows attackers to break out of the Java sandbox continues to exist in Java". He claims that Oracle told him that the just-released package of 30 bug fixes was "already in its final testing phase" when he reported the September 25th flaw. In other words, he was too late to the party. He told Kaspersky the same thing. The flaw that puts a billion users at risk won't be patched until February 19, 2013
. This is not to suggest, in any way, ignoring the latest updates to Java. Just recognize that they make you safer (30 bugs were fixed) rather than safe..."