Oracle patches Java 0-day, researchers say there's another one
Posted on 31 August 2012.
Oracle has finally issued an update for Java 7 (v 1.7.0_07) which solves the problem of the CVE-2012-4681 vulnerability (which actually consists of two distinct flaws).

The update also fixed two other related vulnerabilities, and the company "strongly recommended" that customers apply the updates as soon as possible, given the severity of all the vulnerabilities, the the public disclosure of technical details and the reported exploitation of CVE-2012-4681 "in the wild."

An out-of-schedule update for Java 6 (1.6.0_35) has also been issued. Both updates are available for Windows, Mac OS X, and Linux, but Windows users can also take advantage of the Java Automatic Update to get the latest release.

Still, researchers from Polish firm Security Explorations - the ones who alerted Oracle about them in the first place - claim that they have discovered a similar vulnerability (and, again, reported it to Oracle) that could very soon put Java users in danger again.

"The out-of-band patch released by Oracle yesterday, among other things fixed the exploitation vector with the use of SunToolkit class, the one we used in our proof of concept codes. This made many of them not working...Till today,” Security Explorations CEO Adam Gowdiak shared with Softpedia.

“When combined with some of the Apr 2012 issues, the new issue reported to Oracle today allows to achieve a complete JVM sandbox bypass in the environment of latest Java SE 7 Update 7."

And while attacks exploiting this new issue have yet to be spotted in the wild, I'm thinking that Oracle will have to reconsider their usual patching schedule if they want to keep their Java users.






Spotlight

What can we learn from the top 10 biggest data breaches?

Posted on 21 August 2014.  |  Here's a list of the top 10 biggest data breaches of the last five years. It identifies the cause of each breach as well as the resulting financial and reputation damage suffered by each company.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //