Thanks Dave and Z * *
*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Thu, Aug 30, 2012 at 2:47 PM, David Lum <david....@nwea.org> wrote: > > http://www.forbes.com/sites/andygreenberg/2012/08/30/oracle-quietly-releases-fix-for-serious-java-security-bug-months-after-it-was-reported/ > > Dave > > -----Original Message----- > From: Ziots, Edward [mailto:ezi...@lifespan.org] > Sent: Thursday, August 30, 2012 11:31 AM > To: NT System Admin Issues > Subject: RE: 0 Day in Java 1.7 up to Version 6 > > http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-18 > 35715.html?printOnly=1 > > > Oracle Security Alert for CVE-2012-4681 > > Description > This Security Alert addresses security issues CVE-2012-4681 (US-CERT Alert > TA12-240A) and two other vulnerabilities affecting Java running in web > browsers on desktops. These vulnerabilities are not applicable to Java > running on servers or standalone Java desktop applications. They also do > not affect Oracle server-based software. > > These vulnerabilities may be remotely exploitable without authentication, > i.e., they may be exploited over a network without the need for a username > and password. To be successfully exploited, an unsuspecting user running an > affected release in a browser will need to visit a malicious web page that > leverages this vulnerability. Successful exploits can impact the > availability, integrity, and confidentiality of the user's system. > > In addition, this Security Alert includes a security-in-depth fix in the > AWT subcomponent of the Java Runtime Environment. > > Due to the severity of these vulnerabilities, the public disclosure of > technical details and the reported exploitation of CVE-2012-4681 "in the > wild," Oracle strongly recommends that customers apply the updates provided > by this Security Alert as soon as possible. > > Supported Products Affected > Security vulnerabilities addressed by this Security Alert affect the > products listed in the categories below. Please click on the link in the > Patch Availability column or in the Patch Availability Table to access the > documentation for those patches. > > Affected product releases and versions: > > Java SE Patch Availability > JDK and JRE 7 Update 6 and before Java SE > JDK and JRE 6 Update 34 and before Java SE > Patch Availability Table and Risk Matrix Java SE fixes in this Security > Alert are cumulative; this latest update includes all fixes from previous > Critical Patch Updates and Security Alerts. > > Patch Availability Table > Product Group Risk Matrix Patch Availability and Installation > Information > Oracle Java SE Oracle JDK and JRE Risk Matrix > Oracle Security Alert for CVE-2012-4681 My Oracle Support Note 1486726.1. > Developers can download the latest Java SE JDK and JRE 7 and 6 releases > fromhttp://www.oracle.com/technetwork/java/ja > vase/downloads/index.html. > Users running Java SE with a browser can download the latest JRE 7 release > fromhttp://java.com/. Users on the Windows platform can also use > automatic updates to get the latest JRE 7 and 6 releases. > > Credit Statement > The following people or organizations reported security vulnerabilities > addressed by this Security Alert to Oracle: Adam Gowdiak of Security > Explorations; and James Forshaw (tyranid) via TippingPoint. > > References > Oracle Critical Patch Updates and Security Alerts main page [ Oracle > Technology Network ] Oracle Critical Patch Updates and Security Alerts - > Frequently Asked Questions [ CPU FAQ ] Risk Matrix definitions [ Risk > Matrix Definitions ] Use of Common Vulnerability Scoring System (CVSS) by > Oracle [ Oracle CVSS Scoring ] English text version of risk matrix [ Oracle > Technology Network ] CVRF XML version of the risk matrix [ Oracle > Technology Network ] Previous Security Advisories for Java SE and Java for > Business Security Updates [ Java Sun Alerts Archive Page ] Modification > History > > Date Comments > 2012-August-30 Rev 1. Initial Release > > > > Fire up the Patch Machine, its time again... > > Z > > Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan > Organization ezi...@lifespan.org > > > -----Original Message----- > From: S Powell [mailto:powe...@gmail.com] > Sent: Thursday, August 30, 2012 2:16 PM > To: NT System Admin Issues > Subject: Re: 0 Day in Java 1.7 up to Version 6 > > according to cert: > http://www.kb.cert.org/vuls/id/636312 > > "This issue is addressed in Java 7 Update 7. Also consider the following > workarounds:" > > so I guess the real question is, is it really patched? > > > > ----------------- > "Choose the highest bidder" was my answer when they told me I was up for > sale. > > > On Thu, Aug 30, 2012 at 11:03 AM, David Lum <david....@nwea.org> wrote: > > "After an exploit for them has been added to the Blackhole exploit > kit, the number of sites functioning as entrance points for malware has > risen exponentially. According to Patrik Runald, director of security > research at Websense, the company has already spotted over 100 unique > domains serving the Java exploit. > > > > "The number is definitely growing...and because Blackhole has an > updatable framework and already has a foothold on thousands of sites, we > anticipate that the number of sites compromised with this new zero-day will > escalate rapidly in the coming days," he told Gregg Keizer." > > > > - and - > > > > "According to researchers from Security Explorations, who found the > two flaws and reported them to Oracle back in April, the monthly status > report they received from Oracle less than a week ago shows that both flaws > have been addressed." > > > > Full article: http://www.net-security.org/secworld.php?id=13507 > > > > David Lum > > Systems Engineer // NWEATM > > Office 503.548.5229 // Cell (voice/text) 503.267.9764 > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to listmana...@lyris.sunbeltsoftware.com > > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
