Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Java Vulnerability Affects 1 Billion Plug-ins

From: InfoSec News <alerts () infosecnews org>
Date: Thu, 27 Sep 2012 03:33:06 -0500 (CDT)
http://www.informationweek.com/security/application-security/java-vulnerability-affects-1-billion-plu/240007985

By Mathew J. Schwartz
InformationWeek
September 26, 2012
Anyone still using a Java plug-in in their Web browser, beware: Another major, new--and as yet unpatched--vulnerability has been spotted in Java.
Unfortunately, unlike a number of the other, recently spotted Java bugs, the latest security issue affects not just the current, version 7 of Java, but also versions 5 and 6. In other words, every version of Java released for the past eight years, collectively used by approximately one billion people, is vulnerable to the exploit.
Security researcher Adam Gowdiak of Security Explorations announced the bug discovery Tuesday in a post to the Full Disclosure mailing list. "The impact of this issue is critical--we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6, and 7." In other words, an attacker could use the exploit to run arbitrary code on, and remotely compromise, a vulnerable system.
Gowdiak said his firm successfully demonstrated the vulnerability on Java SE 5 Update 22, Java SE 6 Update 35, and Java SE 7 Update 7, using a fully patched 32-bit Windows 7 system, as well as five different Web browsers: Firefox 15.0.1, Google Chrome 21.0.1180.89, Internet Explorer 9.0.8112.16421 (update 9.0.10), Opera 12.02 (build 1578), and Safari 5.1.7 (7534.57.2). 

[...]


--
ExpandingSecurity.com Live OnLine classes won&#8217;t wreck your schedule.
Get that cert and be done before 2012 ends. Last ISSAP 2012 class starts
Sept. 25th. Last 2012 CISSP and CEH starts Oct. 1:
CEH info signup: http://www.expandingsecurity.com/product/ceh-certified-ethical-hacker-online/
CISSP info signup: http://www.expandingsecurity.com/product/cissp-live-online-10-week-course/
ISSAP info signup: http://www.expandingsecurity.com/product/issap-information-systems-security-architecture-professional/
Previous By Date Next
Previous By Thread Next

Current thread: