Oracle releases new Java update to close security holes

Oracle has a released an update that fixes the widely publicized security hole in their Java software. This update brings Java to version 7 Update 11 and fixes two security holes found in previous versions of the software that affected Java running in web browsers. This update also changes the default Java Security Level from Medium to High. With Java being set to High, Java will always prompt you as to whether you want to run an unsigned Java applet or a Java Web Start application.

As the security hole being patched is currently in use by various Crime Kits to exploit and access your computer it is imperative that all users install this update. To install the update, please uninstall all versions of Java by using the Windows Add or Remove Programs or Uninstall Programs control panel. Then install version 7 update 11 using the the following link associated with the bit-type of Windows you are using:

Windows Offline Java Installer(32-bit)
Windows Offline Java Installer (64-bit)

If you are using a 64-bit version of Windows and use both 32-bit and 64-bit web browsers, then you will need to install both versions. If you are on a 32-bit version of Windows or only use 32-bit web browsers, then you only need to install the 32-bit file.

Thank you for confirming,

Edited by Union_Thug, 15 January 2013 - 03:15 AM.

Honestly can I ever trust Java again? When was the exploit discovered? September? It has been several months of waiting for a patch or even a hotfix and they just now close the hole? I have been struggling like mad to remove Java off all my customers and client's computers. Hopefully with the push for HTML5 and other more secure platforms Java will no longer be necessary. Thanks for the info.

Edited by omega84, 15 January 2013 - 02:16 AM.

>>>When was the exploit discovered? September? It has been several months of waiting for a patch...<<<

I believe one of the bugs (there were 2 in this particular exploit) was originally disclosed in August and Oracle issued a "patch" in October. Obviously it got...unpatched somehow.

>>>Honestly can I ever trust Java again?<<<

I think we all know the answer or is that a rhetorical question?

>>>Hopefully with the push for HTML5 and other more secure platforms Java will no longer be necessary.<<<

No argument here.

If you have not uninstalled Java, then it would automatically update itself.

BTW, the new update seems not be good enough for American security experts.
http://www.chicagotribune.com/business/technology/chi-java-update-oracle-updates-java-security-experts-say-bugs-remain-20130114,0,7822126.story

Brian Krebs continues to advise people to remove Java unless you find you absolutely need it, then use a "2 browser solution"' one with, one without.

Edit: One of the first things I do after updating manually is to disable the auto updater & disable the jusched.exe (SP?) Run key in the registry using Autoruns,

Edited by Union_Thug, 15 January 2013 - 06:44 AM.

BBC article
Title: "Java still contains security flaws, experts claim"
Link: http://www.bbc.co.uk/news/technology-21011669

Oracle issued an emergency update to its widely-used Java web software on Sunday, but experts say it still contains security flaws.

It would seem those experts were right, apparently the next 0-day is already there: http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/

regards myrti

self delete

Edited by Union_Thug, 16 January 2013 - 08:28 PM.

Nothing can be said at this point. PoC or exploit code is not available.
More coffee for Oracle Java developers

Yet another vulnerability...

Researchers find critical vulnerabilities in Java 7 Update 11
http://podcasts.infoworld.com/d/security/researchers-find-critical-vulnerabilities-in-java-7-update-11-211150?_kip_ipx=502702245-1358568875&source=rss_security

Researchers from Security Explorations, a Poland-based vulnerability research firm, claim to have found two new vulnerabilities in Java 7 Update 11 that can be exploited to bypass the software's security sandbox and execute arbitrary code on computers.

Oracle released Java 7 Update 11 last Sunday as an emergency security update in order to block a zero-day exploit used by cybercriminals to infect computers with malware.

Security Explorations successfully confirmed that a complete Java security sandbox bypass can be still be achieved under Java 7 Update 11 (JRE version 1.7.0_11-b21) by exploiting two new vulnerabilities discovered by the company's researchers, Adam Gowdiak, the company's founder, said Friday in a message sent to the Full Disclosure mailing list. The vulnerabilities were reported to Oracle on Friday, together with working proof-of-concept exploit code, he said.

According to Security Explorations' disclosure policy, technical details about the vulnerabilities will not be publicly disclosed until the vendor issues a patch.

Edited by Union_Thug, 18 January 2013 - 11:22 PM.