http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-18 35715.html?printOnly=1
Oracle Security Alert for CVE-2012-4681 Description This Security Alert addresses security issues CVE-2012-4681 (US-CERT Alert TA12-240A) and two other vulnerabilities affecting Java running in web browsers on desktops. These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle server-based software. These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. In addition, this Security Alert includes a security-in-depth fix in the AWT subcomponent of the Java Runtime Environment. Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible. Supported Products Affected Security vulnerabilities addressed by this Security Alert affect the products listed in the categories below. Please click on the link in the Patch Availability column or in the Patch Availability Table to access the documentation for those patches. Affected product releases and versions: Java SE Patch Availability JDK and JRE 7 Update 6 and before Java SE JDK and JRE 6 Update 34 and before Java SE Patch Availability Table and Risk Matrix Java SE fixes in this Security Alert are cumulative; this latest update includes all fixes from previous Critical Patch Updates and Security Alerts. Patch Availability Table Product Group Risk Matrix Patch Availability and Installation Information Oracle Java SE Oracle JDK and JRE Risk Matrix Oracle Security Alert for CVE-2012-4681 My Oracle Support Note 1486726.1. Developers can download the latest Java SE JDK and JRE 7 and 6 releases fromhttp://www.oracle.com/technetwork/java/ja vase/downloads/index.html. Users running Java SE with a browser can download the latest JRE 7 release fromhttp://java.com/. Users on the Windows platform can also use automatic updates to get the latest JRE 7 and 6 releases. Credit Statement The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle: Adam Gowdiak of Security Explorations; and James Forshaw (tyranid) via TippingPoint. References Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ] Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ] Risk Matrix definitions [ Risk Matrix Definitions ] Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ] English text version of risk matrix [ Oracle Technology Network ] CVRF XML version of the risk matrix [ Oracle Technology Network ] Previous Security Advisories for Java SE and Java for Business Security Updates [ Java Sun Alerts Archive Page ] Modification History Date Comments 2012-August-30 Rev 1. Initial Release Fire up the Patch Machine, its time again... Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected] -----Original Message----- From: S Powell [mailto:[email protected]] Sent: Thursday, August 30, 2012 2:16 PM To: NT System Admin Issues Subject: Re: 0 Day in Java 1.7 up to Version 6 according to cert: http://www.kb.cert.org/vuls/id/636312 "This issue is addressed in Java 7 Update 7. Also consider the following workarounds:" so I guess the real question is, is it really patched? ----------------- "Choose the highest bidder" was my answer when they told me I was up for sale. On Thu, Aug 30, 2012 at 11:03 AM, David Lum <[email protected]> wrote: > "After an exploit for them has been added to the Blackhole exploit kit, the number of sites functioning as entrance points for malware has risen exponentially. According to Patrik Runald, director of security research at Websense, the company has already spotted over 100 unique domains serving the Java exploit. > > "The number is definitely growing...and because Blackhole has an updatable framework and already has a foothold on thousands of sites, we anticipate that the number of sites compromised with this new zero-day will escalate rapidly in the coming days," he told Gregg Keizer." > > - and - > > "According to researchers from Security Explorations, who found the two flaws and reported them to Oracle back in April, the monthly status report they received from Oracle less than a week ago shows that both flaws have been addressed." > > Full article: http://www.net-security.org/secworld.php?id=13507 > > David Lum > Systems Engineer // NWEATM > Office 503.548.5229 // Cell (voice/text) 503.267.9764 > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
