One more time: Just Another Vulnerability Announcement
Thanks... -- richard From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Monday, April 22, 2013 2:08 PM To: NT System Admin Issues Subject: Cross post on latest round of Java Bugs from Bugtraq Hello All, Today, a vulnerability report with an accompanying Proof of Concept code was sent to Oracle notifying the company of a new security weakness affecting Java SE 7 software. The new flaw was verified to affect all versions of Java SE 7 (including the recently released 1.7.0_21-b11). It can be used to achieve a complete Java security sandbox bypass on a target system. Successful exploitation in a web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed). What's interesting is that the new issue is present not only in JRE Plugin / JDK software, but also the recently announced Server JRE as well [1]. Those concerned about a feasibility of exploitation of Java flaws in a server environment should consult Guideline 3-8 of "Secure Coding Guidelines for a Java Programming Language" [2]. It lists the following software components and APIs as potentially prone to the execution of untrusted Java code: - Sun implementation of the XSLT interpreter, - Long Term Persistence of JavaBeans Components, - RMI and LDAP (RFC 2713), - Many SQL implementations. In Apr 2012 [3], we reported our first vulnerability report to Oracle corporation signaling multiple security problems in Java SE 7 and the Reflection API in particular. It's been a year since then and to our true surprise, we were still able to discover one of the simplest and most powerful instances of Java Reflection API based vulnerabilities. It looks Oracle was primarily focused on hunting down potentially dangerous Reflection API calls in the "allowed" classes space. If so, no surprise that Issue 61 was overlooked. Thank you. Best Regards Adam Gowdiak Looks like more Java patching to come.. and the flaws continue... Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org<mailto:ezi...@lifespan.org> Work:401-444-9081 This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. [cid:image001.jpg@01CE3F64.8449ED80] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
<<inline: image001.jpg>>
