Wednesday, March 6, 2013

Emergency patch zero-day vulnerabilities in Java


Oracle has released an emergency patch zero-day vulnerabilities in Java


The company violated the second time release schedule updates, due to frequent hacking attacks.

On Monday, March 4, Oracle has introduced an unscheduled update Java 7 Update 17 and Java 6 Update 43 to fix two critical vulnerabilities in Java, one of which hackers use to carry out targeted attacks.

Exploits CVE-2013-1493 and CVE-2013-0809, which exist because of errors in sub-component 2D, received from Oracle highest danger level (CVSS Score 10.0).

Vulnerability can be exploited remotely by unauthorized users. An attacker can execute arbitrary code on the target system.


The exploitation of vulnerability CVE-2013-1493 it became known last Thursday, when the IS experts at FireEye discovered a number of attacks. Then the hackers used a hole to install malicious software, known as McRAT, which allows hackers to gain remote access to the victim's computer.

Note that this is not the first time that Oracle has changed the release schedule for updates. Thus, the first update was to leave on February 19, but due to attacks committed by the company released its February 1.

We encourages his readers to install Java update as soon as possible.

Detailed description of vulnerability

System compromise in Java

Severity Rating: Critical
Patch: Yes
Number of vulnerabilities: 2

CVE ID: CVE-2013-1493
CVE-2013-0809
Vector of operation: Remote
Impact: System Compromise

Affected Products: IBM Java 6.x
IBM Java 7.x

Affected versions:
Java 6 Update 41, perhaps the only one.
Java 7 Update 15 possibly other versions.

Description:
The vulnerability allows a remote user to execute arbitrary code on the target system.

1. An error in the sub-component 2D. A remote user can execute arbitrary code on the target system.

2. An error in the sub-component 2D. A remote user can execute arbitrary code on the target system.

Note: The vulnerability is being actively exploited in the present.

Solution: The vulnerabilities patch from the manufacturer.

Links:
http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html
на
Ярлыки: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)