Monday, September 3, 2012

Oracle knew about the presence of 0-day Java vulnerabilities in April

Security Explorations company said it released Oracle solution does not correct all vulnerabilities in Java

Oracle has released a security alert, which eliminated the zero-day vulnerability in Java (CVE-2012-4681). Recall that last week of the first public exploit this vulnerability reported Atif Mushtaq from the company FireEye. According to experts, hackers used a gap in Java for the implementation of targeted attacks, but in the near future to exploit it was supposed to be accessible to a wide range of cyberhawks.

The next day, the company Rapid 7 said about adding a module to exploit CVE-2012-4681 for a tool to pentesterov Metasploit, and Brian Krebs, citing its own sources, said that his version of the exploit works and authors BlackHole. Quoting one of the leaders of BlackHole, Krebs wrote that the price of such an exploit could be about $ 100,000.

In the period between the notification and the FireEye update release of Oracle Internet brought a wealth of publications and tips to eliminate vulnerabilities, both from security experts, and from fraud. First advised to disable Java in the browser environment, and use it only when necessary, the second often offer users download their own solution to the problem.

On Friday, after the release of updates to Oracle, the mailing list Bugtraq message appears the polish of Security Explorations Adam Gowdiak, in which he said that the manufacturer was notified of the vulnerability in April of this year.

"Today, we have sent a report on Oracle vulnerabilities and PoC code. This code successfully demonstrates the full bypass sandbox JVM in the latest Java SE (version 7 Update 7, released August 30, 2012), "- said Govdiak. The notice also posted a link to a site Security Explorations, which shows the process of communication with Oracle. According to the researchers, the staff in the spring of Oracle confirmed receiving and decoding the report about the vulnerability in Java.

No comments:

Post a Comment