New Java Update Released To Patch In-the-Wild Flaw
Oracle recently released a security advisory for a critical patch for Java, which updates Java 7 to Update 13. (Users of the older Java 6 also received an update, taking them to Update 39.) Accordingly, this advisory addresses several vulnerabilities for the following affected products:
- JDK and JRE 7 Update 11 and earlier
- JDK and JRE 6 Update 38 and earlier
- JDK and JRE 5.0 Update 38 and earlier
- SDK and JRE 1.4.2_40 and earlier
- JavaFX 2.2.4 and earlier
Fifty vulnerabilities were patched in this update. According to Oracle, one of these vulnerabilities is already being exploited in the wild, which is why the update was released early (instead of February 19 as originally scheduled).
We believe that the targeted vulnerability is a Java Security Slider vulnerability, which is covered in CVE-2013-1489. It does not necessarily lead to exploitation but when combined with other vulnerabilities can actually lead to a ‘blind’ exploitation. For instance, when the Security Slider is set to the default (high) all unsigned applets must be authorized via a dialog box by a browser user in order to execute. This provides the browser operator the opportunity to prevent execution of suspicious applets that may result in successful exploits. However, when CVE-2013-1489 is combined with vulnerabilities that can be used to cause direct impacts, the effect can be that the impact can be caused “silently” without the authorization dialog box.
Just last month, Oracle released a security fix for the Java zero-day for CVE-2013-0422. The said fix is ‘incomplete’ due to an issue in findclass, method of com.sun.jmx.mbeanserver.MBeanInstantiator class which can possibly open a security hole when combined to another vulnerability. Similar to the Java Security Slider vulnerability, on its own, it cannot be exploited.
While this vulnerability does not pose risk on its own, it is highly recommended that users download and install the latest version on their systems immediately. For enterprises and users who need to use Java, you can refer to this post for tips.
With additional inputs from Vulnerability researcher Pavithra Hanchagaiah