Re: Java problems

[Chuck Braden <j-braden () TAMU EDU>]

I am providing the comments below as they are written - can't be confirmed
one way or the other

 

http://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-expl
oit/#comments

Rabid Howler Monkey 

January 12, 2013 at 2:06 pm
<http://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exp
loit/comment-page-1/#comment-140930>  

With regard to the difference of opinion between CERT and the National
Vulnerability Database (i.e., NIST) on the vulnerability of Java SE versions
prior to Java SE 7, inspection of the NIST link in the article indicates
that Java SE 6 Update 35 and previous versions are vulnerable. Java SE 6 is
currently at Update 38 and, therefore, would not be vulnerable.

Thus, for Java SE 6 users, the safe thing to do is insure that you are
running Update 38, and if not, update your Java to Update 38 from Oracle's
download site:

http://www.oracle.com/technetwork/java/javase/downloads/index.html

P.S. 1 Am not taking sides on the CERT NIST dispute.

P.S. 2 Given that Oracle has been automatically migrating its Java SE 6
users to Java SE 7 starting as far back as November, 2012, it would appear
that the miscreants may have timed their attack with this Java SE 7 exploit
such that most Java SE users have the vulnerable version installed on their
PCs. If true, then this whole thing could be characterized as an ambush. All
the miscreants had to do was wait for Oracle to mostly complete the
automatic migration of its Java SE 6 users to SE 7.

http://1.gravatar.com/avatar/f556deeff7d35483da58a973d49d5fca?s=36&d=%3Cpath
_to_url%3E&r=PGLuca <http://blog.nibblesec.org>  

January 13, 2013 at 9:18 pm
<http://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exp
loit/comment-page-1/#comment-141233>  

Q: I'm using Java 6. Does that mean I don't have to worry about this? 

There are two different issues involved in this attack. (a)
MBeanInstantiator affecting Java6 and Java7 and (b) Reflection API abuse
affecting Java7 only 

That's the reason for such a confusion. Btw, Adam Gowdiak confirmed it -
being a world-class security expert for Java we can just listen him and
agree.

 

 

Jimmy C Braden

Information Security Officer

AgriLife Information Technology

979-862-7254

j-braden () tamu edu

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chuck Braden
Sent: Monday, January 14, 2013 9:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Java problems

 

Everything I am reading says the most current version of 1.6  is not
vulnerable to the zero day currently being exploited. However, you got all
of 1 month before 1.6 goes End-of-life.  The initial announcement about
1.7.11 seems to indicate the vulnerabilities identified in the last week are
addressed with 1.7.11

 

http://nakedsecurity.sophos.com/2013/01/13/oracle-releases-cve-2013-0422-pat
ch-for-java/ 

So here's some good news: Oracle has been on the ball and has already come
out with a patch. Java 7 Update 11
<http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html>
fixes both CVE-2013-0422 and a second vulnerability.

 

 

I also saw a couple of links that says 1.7.11 is still vulnerable - but it
seems the existing code implemented a work around.

 

http://www.zdnet.com/security-experts-on-java-fixing-zero-day-exploit-could-
take-two-years-7000009756/

http://www.stuff.co.nz/technology/digital-living/8175388/Java-update-still-h
as-bugs-says-expert

 

 

Jimmy C Braden

Information Security Officer

AgriLife Information Technology

979-862-7254

j-braden () tamu edu

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shalla, Kevin
Sent: Monday, January 14, 2013 9:03 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Java problems

 

Here's a Chicago Tribune story on Java security problems:

http://www.chicagotribune.com/business/technology/chi-java-update-oracle-upd
ates-java-security-experts-say-bugs-remain-20130114,0,7822126.story

 

We use Java 6 in order to run Banner.  This article seems to suggest that
Java 6 doesn't have the problem.  People in my department have started to
ask me what to do.  What do you all think?

 

Kevin

Attachment: smime.p7s
Description: