U guys are the best....thank u for what u do On Jan 21, 2013 9:46 AM, "Security Explorations" < [email protected]> wrote:
> > Hello All, > > This post might be interesting for those concerned about the > state of Oracle's Java SE security. > > We have successfully confirmed that a complete Java security > sandbox bypass can be still gained under the recent version > of Java 7 Update 11 [1] (JRE version 1.7.0_11-b21). > > MBeanInstantiator bug (or rather a lack of a fix for it [2][3]) > turned out to be quite inspirational for us. However, instead > of relying on this particular bug, we have decided to dig our > own issues. As a result, two new security vulnerabilities (51 > and 52) were spotted in a recent version of Java SE 7 code and > they were reported to Oracle today [4] (along with a working > Proof of Concept code). > > Thank you. > > Best Regards > Adam Gowdiak > > ------------------------------**--------------- > Security Explorations > http://www.security-**explorations.com<http://www.security-explorations.com> > "We bring security research to the new level" > ------------------------------**--------------- > > References: > References: > [1] Oracle Security Alert for CVE-2013-0422 > > http://www.oracle.com/**technetwork/topics/security/** > alert-cve-2013-0422-1896849.**html<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html> > [2] Java 7 Update 11 Addresses the Flaw Partly Fixed in October 2012, > Experts Say > > http://news.softpedia.com/**news/Java-7-Update-11-** > Addresses-the-Flaw-Partly-**Fixed-in-October-2012-Experts-** > Say-320792.shtml<http://news.softpedia.com/news/Java-7-Update-11-Addresses-the-Flaw-Partly-Fixed-in-October-2012-Experts-Say-320792.shtml> > [3] Confirmed: Java only fixed one of the two bugs > > http://immunityproducts.**blogspot.com.ar/2013/01/** > confirmed-java-only-fixed-one-**of-two.html<http://immunityproducts.blogspot.com.ar/2013/01/confirmed-java-only-fixed-one-of-two.html> > [4] SE-2012-01 Vendors status > > http://www.security-**explorations.com/en/SE-2012-**01-status.html<http://www.security-explorations.com/en/SE-2012-01-status.html> > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
