Extraordinary patch for an 0-day vulnerability
Oracle has released extraordinary patch for an 0-day vulnerability, which in recent days have begun to actively exploit some cybercriminal groups.
Updates for JDK and JRE 6 Update 7, JDK and JRE 6 Update 34 contains patches for four vulnerabilities Java, including the notorious CVE-2012-4681. Oracle has emphasized: given the danger of this threat, it is strongly recommended that all users install the patch data as soon as possible.
The vulnerability affects only the desktop version of the plugin Java, working through a web browser, they do not touch the server version or separate Java-applications.
Thus, Oracle still made a wise decision to release a patch without waiting for the planned October update. Discovery was that the vulnerability affects not only the Java 7 and Java 6. More precisely, of the four is three vulnerabilities related to Java 7, and one - to Java 6 and 7. However, according to the published information, closed a vulnerability in Java 6 does not allow remote code execution and has a maximum rating on CVSS. But the fact that it was included in the overall package with the other, can talk about the fact that all four vulnerabilities related.
Anyway, the question remains of how to safely use the Java plug-in browser? If the recommendations for its complete blackout is unlikely to be relevant, the limitations of the "start on click" and maintain a list of sites that are allowed execution of Java-applets, still makes sense.
Hacker HDMoore, who recently wrote a new module for Java framework for Metasploit, warns that Oracle has closed the obvious holes, and attackers can find a way to exploit the same code in any other way, so that after a while may be other exploits. But even if the patch is working reliably, says HDMoore, held for months until it was installed at all users.
Java Runtime Environment 7 Update 7 (7.0.70.10)
Version 7 Update 7 fixes two vulnerabilities (CVE-2012-1723 and CVE-2012-4681)
No comments:
Post a Comment