Oracle Java Flaws Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1028019|
SecurityTracker URL: http://securitytracker.com/id/1028019
(Links to External Site)
Updated: Jan 19 2013|
Original Entry Date: Jan 19 2013
Execution of arbitrary code via network, User access via network|
Vendor Confirmed: Yes |
Version(s): 7 Update 11; possibly prior versions|
Two vulnerabilities were reported in Oracle Java. A remote user can cause arbitrary code to be executed on the target user's system.|
A remote user can create specially crafted Java content that, when loaded by the target user, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user.
The vendor was notified on January 18, 2013.
On version Java 7 Update 11, user confirmation is required in order for unsigned or self-signed Java applets to run.
Adam Gowdiak of Security Explorations reported these vulnerabilities.
A remote user can create Java content that, when loaded by the target user, will execute arbitrary code on the target user's system.|
No solution was available at the time of this entry.|
Vendor URL: www.java.com/ (Links to External Site)
|Underlying OS: Linux (Any), UNIX (Solaris - SunOS), Windows (Any)|
Source Message Contents
Subject: [Full-disclosure] [SE-2012-01] Java 7 Update 11 confirmed to be vulnerable|
This post might be interesting for those concerned about the
state of Oracle's Java SE security.
We have successfully confirmed that a complete Java security
sandbox bypass can be still gained under the recent version
of Java 7 Update 11  (JRE version 1.7.0_11-b21).
MBeanInstantiator bug (or rather a lack of a fix for it )
turned out to be quite inspirational for us. However, instead
of relying on this particular bug, we have decided to dig our
own issues. As a result, two new security vulnerabilities (51
and 52) were spotted in a recent version of Java SE 7 code and
they were reported to Oracle today  (along with a working
Proof of Concept code).
"We bring security research to the new level"
 Oracle Security Alert for CVE-2013-0422
 Java 7 Update 11 Addresses the Flaw Partly Fixed in October 2012,
 Confirmed: Java only fixed one of the two bugs
 SE-2012-01 Vendors status
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/