• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
AplusWebMaster

Java JRE updates/advisories

59 posts in this topic

FYI...

 

Java JRE v1.6.0_22 released

- http://www.oracle.com/technetwork/java/javase/downloads/index.html

2010-October-12

 

Release Notes

- http://www.oracle.com/technetwork/java/javase/6u22releasenotes-176121.html

 

Oracle Java SE and Java for Business Risk Matrix (CVE#)

- http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html#AppendixJAVA

 

- http://krebsonsecurity.com/2010/10/java-update-clobbers-29-security-flaws/

October 12, 2010 - "... critical update... fixing at least 29 security vulnerabilities..."

 

- http://secunia.com/advisories/41791/

Release Date: 2010-10-13

Last Update: 2010-10-21

Criticality level: Highly critical

Impact: Manipulation of data, Exposure of sensitive information, DoS, System access

Where: From remote...

Solution Status: Vendor Patch

CVE Reference(s): CVE-2009-3555, CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3552, CVE-2010-3553, CVE-2010-3554, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3559, CVE-2010-3560, CVE-2010-3561, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3570, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574

 

- http://www.securitytracker.com/id?1024573

Oct 14 2010

 

:ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Have you checked Java?...

- http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx

18 Oct 2010 - "... by the beginning of this year, the number of Java exploits... (... -not- attacks using JavaScript) had well surpassed the total number of Adobe-related exploits we monitored. See chart... a reminder that, in addition to running real-time protection, it is -imperative- to apply all security updates for software, no matter what your flavor might be."

Chart: http://blogs.technet.com/cfs-filesystemfile.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-62-58-metablogapi/5824.JavaPDFAttacksthrough2010Q31_5F00_4ECD269A.gif

 

- http://krebsonsecurity.com/2010/10/microsoft-a-tidal-wave-of-java-exploitation/

October 18, 2010 - "... the spike in the third quarter of 2010 is primarily driven by attacks on three Java vulnerabilities that have already been patched for some time now. Even so, attacks against these flaws have “gone from hundreds of thousands per quarter to millions” ..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5353

Last revised: 08/21/2010

CVSS v2 Base Score: 10.0 (HIGH)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3867

Last revised: 08/21/2010

CVSS v2 Base Score: 9.3 (HIGH)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0094

Last revised: 08/21/2010

CVSS v2 Base Score: 7.5 (HIGH)

 

- http://labs.m86security.com/2010/10/don%E2%80%99t-get-infected-by-zombies/

October 15, 2010 - "... effectively used in many other exploit tool kits. Potential victims are forced to visit Zombie’s exploit page when their browser loads an IFrame placed on a compromised website. All of the vulnerabilities exploited by this kit have been patched... 15 percent... of ‘visitors’ were successfully exploited by the Zombie Infection Kit and made to download a malicious executable. Because Java vulnerabilities accounted for 60 percent of infections, a surprising nine percent of all visitors were infected just by having an old version of java installed..."

 

- https://www.sans.org/newsletters/newsbites/newsbites.php?vol=12&issue=84#sID202

"... Eighty percent of PCs run at least one version of Java. Of those, 40 percent are running outdated versions. There is a Java update service, but user notification is slow and the service allows multiple versions of the software to run on PCs, so users' computers can be vulnerable to older attacks even if they're running a newer version of Java..."

 

:ph34r: :!:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Hello? Update. Please?

- http://www.zdnet.co.uk/blogs/walsingham-10020628/guess-who-hasnt-patched-the-java-security-hole-10020866/

25 October, 2010 - "... Only 7% have applied the critical patch. According to Trusteer*, 68% of Internet users are still at risk from the attacks that these Java vulnerabilities expose and goes as far as to claim that it has become the single most exploitable vulnerability on the web today... these things are not called 'critical' for the heck of it. "

 

* http://www.trusteer.com/company/press/trusteer-finds-massive-internet-security-hole-remains-unpatched-users

Oct. 25, 2010 – "... over a week after Oracle released a critical patch for Java, more than 68 percent of Internet users are still at risk from attacks that exploit these vulnerabilities. This may be the biggest security hole on the Internet today, since 73 percent of Internet computers are using Java..."

 

- http://blogs.cisco.com/security/java-exploits-another-example-of-tomorrows-threat-landscape-today-2/

October 28, 2010 - "... Cisco ScanSafe data from the past 6 months:

- http://blogs.cisco.com/wp-content/uploads/2010-10-22-Java-Security.jpg

Java vs. Flash vs. PDF, Apr - Sep 2010

... for all web-based malware, 65% of what ScanSafe blocked was prior to exploit delivery, at the iframe or malicious JavaScript reference level..."

___

 

60 second check for updates here.

 

:scratchhead:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Java exploits!...

- http://isc.sans.edu/diary.html?storyid=9916

Last Updated: 2010-11-11 00:05:00 UTC - "... Bottom line: If you haven't done so yet, hunt down and patch every incarnation of Java on the PCs that you are responsible for."

* http://www.virustotal.com/file-scan/report.html?id=d47224d8141b36082443d3e06920af51e098076cae2581f5aebd076b0d61cd28-1289430438

File name: bad.exe

Submission date: 2010-11-10 23:07:18 (UTC)

Result: 14/43 (32.6%)

 

Currently Exploited Sun Java Vulnerabilities

- http://blog.sharpesecurity.com/2010/10/25/list-of-currently-exploited-sun-java-vulnerabilities/

___

 

60 second check for updates here.

___

 

- http://www.guardian.co.uk/technology/blog/2010/nov/16/java-oracle-google-ibm-harmony-apache-crisis

16 November 2010

 

:ph34r: :ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Java JRE v1.6.0_23 released

- http://www.oracle.com/technetwork/java/javase/downloads/index.html

Dec. 8, 2010

Offline Installation - jre-6u23-windows-i586.exe - 15.79 MB

[Noted: 2011.01.14 - "This release includes performance improvements and bug fixes."]

 

- http://www.oracle.com/technetwork/java/javase/6u23releasenotes-191058.html

"... Bug Fixes: Java SE 6u23 does not contain any additional fixes for security vulnerabilities to its previous release, Java SE 6u22. Users who have Java SE 6u22 have the latest security fixes and do not need to upgrade to this release to be current on security fixes. For other bug fixes, see the Java SE 6u23 Bug Fixes page*..."

* http://www.oracle.com/technetwork/java/javase/2col/6u23bugfixes-191074.html

208 bug fixes ...

?? "6945145 - java_deployment - security - PKIX path validation failed: App won't start when offline when using JOGL/Win7 ..."

 

:ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Java vuln - patch available...

- http://secunia.com/advisories/43262/

Release Date: 2011-02-09

Criticality level: Moderately critical

Impact: DoS

Where: From remote

Solution: Apply patch via the FPUpdater tool.

... The vulnerability is reported in the following products: Sun JDK and JRE 6 Update 23 and prior, Sun JDK 5.0 Update 27 and prior, Sun SDK 1.4.2_29 and prior.

- http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html

2011-February-08

___

 

- http://blogs.oracle.com/security/2011/02/security_alert_for_cve-2010-44.html

February 8, 2011 - "... the fix for this vulnerability will also be included in the upcoming Java Critical Patch Update (Java SE and Java for Business Critical Patch Update - February 2011*), which will be released on February 15th 2011..."

* http://www.oracle.com/technetwork/topics/security/alerts-086861.html

 

- http://www.h-online.com/security/news/item/Oracle-warns-of-Java-vulnerability-1186135.html

9 February 2011 - "... Affected are Java SE and Java for Business in the current and all previous versions of the JDK/JRE 6, 5 and 1.4. To solve the problem, Oracle has released a hotfix* that users are advised to apply immediately, as information on how to exploit the DoS vulnerability is already freely available. The vendor also plans to release a regular Java update on 15 February."

* http://www.oracle.com/technetwork/java/javase/downloads/index.html#fpupdater

 

:ph34r: :!:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Java v1.6.0_24 released

- http://www.oracle.com/technetwork/java/javase/downloads/index.html

Feb. 15, 2011

 

Release Notes

- http://www.oracle.com/technetwork/java/javase/6u24releasenotes-307697.html

The full internal version number for this update release is 1.6.0_24-b07 (where "b" means "build"). The external version number is 6u24...

Bug Fixes: This release contains fixes for security vulnerabilities. For more information, please see Oracle Java SE and Java for Business Critical Patch Update advisory.

- http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html

Feb. 2011 - "... This Critical Patch Update contains 21 new security fixes..."

 

Java Downloads for All Operating Systems - Recommended Version 6 Update 24

- http://java.com/en/download/manual.jsp

 

Which version of Java should I download for my 64-bit Windows operating system?

- http://java.com/en/download/faq/java_win64bit.xml

 

Bug list:

- http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html#AppendixJAVA

___

 

3rd party Java test site

- http://javatester.org/version.html

___

 

Java - Multiple Flaws Let Remote Users Execute Arbitary Code, Access Data, Modifiy Data, and Deny Service

- http://www.securitytracker.com/id/1025082

Feb 15 2011

 

- http://secunia.com/advisories/43262/

Last Update: 2011-02-16

Criticality level: Highly critical

Impact: Manipulation of data, Exposure of sensitive information, DoS, System access

Where: From remote...

Solution: Apply updates (see vendor's advisory).

Original Advisory: Oracle:

- http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html

___

 

Most Vulnerable Browser Plug-in...

- http://www.esecurityplanet.com/news/print.php/3925356

February 17, 2011- "... between July of 2010 and January of 2011... 42 percent of users were running vulnerable out-of-date Java plug-ins..."

 

:ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Java - update ugly...

- https://www.computerworld.com/s/article/9215021/Java_updates_may_include_annoying_McAfee_scanner

March 24, 2011 - "Windows users who install the latest Java security patches may end up with a little more security than they bargained for, at least that's the risk they take if they don't pay close attention to the installation process. Starting last month, Oracle began bundling a security scanning tool called the McAfee Security Scan Plus with its Java updates for the Windows operating system. The software is installed by default with the Java update, so unless users notice and uncheck the McAfee installation box as they're updating Java, they'll end up downloading McAfee's software too...

Oracle bundles different products with Java in different regions, so not all Windows users may get Security Scan Plus with their Java updates. Once downloaded, the McAfee software prompts the user on a daily basis to accept McAfee's licensing terms to complete the installation. The user can cancel out of this prompt, but there is no option to decline the terms. To remove the software, the user must use the Windows "Uninstall a Program" feature. A number of users have inadvertently installed the software since Oracle started the bundling deal with Intel's McAfee subsidiary last month... Some users are unhappy, including one who posted to an Intel message board after noticing a slowdown on a family member's PC a few weeks ago, apparently after a Java update... Security Scan Plus is a 1MB download. But it uses 4MB of memory when running, a company spokeswoman said via e-mail. There are other ways to end up with it on your system. Some users have complained of downloading it as part of an Adobe reader update, and it can be picked up when downloading via Adobe's Download Center, an Adobe spokeswoman said..."

 

[ ...aka: "Tag-along-software installs" - 'Not the only vendors who do this...]

- https://www.ixquick.com/

"... about 1,860 for ' Tag-along software installs '"

- https://encrypted.google.com/

Tag-along software installs

"... About 644,000 results..."

 

:ph34r::hmmm:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Java v1.6.0_25 released

- http://www.oracle.com/technetwork/java/javase/downloads/index.html

April 22, 2011

 

Release Notes

- http://www.oracle.com/technetwork/java/javase/6u25releasenotes-356444.html

"Highlights: This update release contains important enhancements for Java applications:

Improved performance and stability

Java HotSpot™ VM 20

Support for Internet Explorer 9, Firefox 4 and Chrome 10

Improved BigDecimal ...

Java SE 6u25 does not add any fixes for security vulnerabilities beyond those in Java SE 6u24. Users who have Java SE 6u24 have the latest security fixes and do not need to upgrade to this release to be current on security fixes..."

 

Bug fixes

- http://www.oracle.com/technetwork/java/javase/2col/6u25bugfixes-356453.html

193...

 

:!:

Share this post


Link to post
Share on other sites

FYI...

 

> http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html

June 3, 2011 - "This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Java SE Critical Patch Update for June 2011, which will be released on Tuesday, June 7, 2011... This Critical Patch Update contains 17 new security vulnerability fixes..."

___

 

Java exploits predominate...

- http://www.informationweek.com/news/security/vulnerabilities/229700251?printer_friendly=this-page

June 01, 2011 - "... In 2011, the Java threat doesn't appear to have diminished. According to a study by Kaspersky Labs[1] that looked at malware trends from January through March 2011, Java vulnerabilities comprised a significant portion of the top 10 "most seen" vulnerabilities* on people's PCs..."

* http://blogs.technet.com/b/mmpc/archive/2011/05/25/microsoft-safety-scanner-detects-exploits-du-jour.aspx

"... 7 of the top 10 threats are files containing exploits for Java vulnerabilities such as CVE-2008-5353, CVE-2010-0094, CVE-2010-0840 and CVE-2009-3867... many of these detections by MSS are the debris or aftermath after the exploit has already executed. By the time a user downloads and runs MSS to detect malware, the machine may have already been infected, if it was vulnerable to the exploit at the time... aside from additional malicious Java code detections... active threats were also reported on machines found to be infected by Exploit:Java/CVE-2008-5353**...

** http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5353

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3867

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0094

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0840

CVSS v2 Base Score: ... (HIGH)

 

[1] http://www.securelist.com/en/analysis/204792176/IT_Threat_Evolution_for_Q1_2011#9

"... In the first quarter of 2011, the number of blocked attacks stood at 254,932,299 – these attacks were carried out from web resources located in different countries all over the world..."

 

> http://www.microsoft.com/security/sir/keyfindings/default.aspx#section_3_1

 

:!: :ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Java JRE 6 Update 26 released

- http://java.com/en/download/manual.jsp

 

- http://www.oracle.com/technetwork/java/javase/downloads/jre-6u26-download-400751.html

June 7, 2011

Windows x86 15.85 MB jre-6u26-windows-i586.exe

Windows x64 16.14 MB jre-6u26-windows-x64.exe

 

Release Notes

- http://www.oracle.com/technetwork/java/javase/6u26releasenotes-401875.html

This release contains fixes for security vulnerabilities. For more information, please see Oracle Java SE Critical Patch Update advisory*.

 

* http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html#AppendixJAVA

CVSS Base Score 10.0: CVE-2011-0802, CVE-2011-0814, CVE-2011-0815, CVE-2011-0817, CVE-2011-0862, CVE-2011-0863, CVE-2011-0864, CVE-2011-0871, CVE-2011-0873

Other: CVE-2011-0786, CVE-2011-0788, CVE-2011-0865, CVE-2011-0866, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0872

 

Download Java for your desktop computer

> http://java.com/en/download/index.jsp

___

 

- http://www.securitytracker.com/id/1025610

CVE Reference: CVE-2011-0786, CVE-2011-0788, CVE-2011-0802, CVE-2011-0814, CVE-2011-0815, CVE-2011-0817, CVE-2011-0862, CVE-2011-0863, CVE-2011-0864, CVE-2011-0865, CVE-2011-0866, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-0872, CVE-2011-0873

Impact: Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network...

A remote user can create a Java applet or Java Web Start application that, when loaded by the target user, will access or modify data or execute arbitrary code on the target user's system. A remote user can cause partial denial of service conditions on the target system.

Solution: The vendor has issued a fix...

 

- http://secunia.com/advisories/44784/

Last Update: 2011-06-10

Criticality level: Highly critical

Impact: Manipulation of data, Exposure of sensitive information, DoS, System access

Where: From remote...

Solution Status: Vendor Patch...

... versions prior to 1.6.0_26...

 

Quick test here: http://javatester.org/version.html

___

 

IBM Java v6.0.0 SR9 FP2 released

- http://secunia.com/advisories/45206/

Release Date: 2011-07-13

Criticality level: Highly critical

Impact: Manipulation of data, Exposure of sensitive information, DoS, System access

Where: From remote

CVE Reference(s): CVE-2011-0786, CVE-2011-0788, CVE-2011-0802, CVE-2011-0814, CVE-2011-0815, CVE-2011-0817, CVE-2011-0862, CVE-2011-0863, CVE-2011-0865, CVE-2011-0866, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-0872, CVE-2011-0873

Solution: Update to version 6.0.0 SR9 FP2.

Original Advisory: http://www.ibm.com/developerworks/java/jdk/alerts/

 

:!:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Java JRE v7 released

- http://www.oracle.com/technetwork/java/javase/downloads/java-se-jre-7-download-432155.html

July 28 2011

 

JDK 7 and JRE 7 Supported System Configurations

- http://www.oracle.com/technetwork/java/javase/config-417990.html

 

Security Enhancements

- http://download.oracle.com/javase/7/docs/technotes/guides/security/enhancements7.html

 

Release Notes

- http://www.oracle.com/technetwork/java/javase/jdk7-relnotes-429209.html

 

Changes in Java SE 7

- http://www.oracle.com/technetwork/java/javase/jdk7-relnotes-418459.html#changes

 

Known Issues

- http://www.oracle.com/technetwork/java/javase/jdk7-relnotes-418459.html#knownissues

___

 

- http://h-online.com/-1288208

29 July 2011 - "9494 bug fixes, 1966 enhancements, 9018 updates, 147 builds and four specification requests have gone into developing the latest Java Platform 7 and Oracle has now released JDK 7 as a general availability release. It is the first major release of the Java development environment since Oracle's takeover of Sun Microsystems..."

 

:!: :ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

- https://isc.sans.edu/diary.html?storyid=11506

Last Updated: 2011-09-05 13:44:59 UTC ...(Version: 2)

___

 

Java JRE 6 Update 27 released

- http://www.oracle.com/technetwork/java/javase/downloads/jre-6u27-download-440425.html

August 17, 2011

Windows x86 ... jre-6u27-windows-i586.exe

Windows x64 ... jre-6u27-windows-x64.exe

 

Release Notes

- http://www.oracle.com/technetwork/java/javase/6u27-relnotes-444147.html

 

Bug Fixes

- http://www.oracle.com/technetwork/java/javase/6u27bugfixes-444150.html

 

NOTE:

https://www.java.com/en/download/faq/java7.xml

Java7: "... The new release of Java is first made available to the developers to ensure no major problems are found before we make it available on the java.com website for end users to download the latest version..."

 

:ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Java exploitation remains high ...

- https://blogs.technet.com/themes/blogs/generic/post.aspx?WeblogApp=mmpc&y=2011&m=10&d=13&WeblogPostName=sirv11-putting-vulnerability-exploitation-into-context&GroupKeys=

13 Oct 2011 - "... Most Frequent Exploits: ... Java exploitation remains high... The top four Java exploits are CVE-2010-0840, CVE-2008-5353, CVE-2010-0094, and CVE-2009-3867..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5353

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3867

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0094

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0840

 

Exploit Detections (charted)

> http://www.microsoft.com/security/portal/blog-images/BID043-111012-002.png

 

:ph34r: :ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Java 7 Update 1 released

Release Notes / Bug Fixes

- http://www.oracle.com/technetwork/java/javase/7u1-relnotes-507962.html

October 18, 2011 - "... version number for this update release is 1.7.0_1-b08 (where "b" means "build"). The external version number is 7u1..."

 

Downloads

- http://www.oracle.com/technetwork/java/javase/downloads/jre-7u1-download-513652.html

Windows x86 jre-7u1-windows-i586.exe

Windows x64 jre-7u1-windows-x64.exe

___

 

Java 6 Update 29 released

Release Notes / Bug Fixes

- http://www.oracle.com/technetwork/java/javase/6u29-relnotes-507960.html

October 18, 2011 - "... version number for this update release is 1.6.0_29-b11 (where "b" means "build"). The external version number is 6u29..."

 

Downloads

- http://www.oracle.com/technetwork/java/javase/downloads/jre-6u29-download-513650.html

Windows x86 jre-6u29-windows-i586.exe

Windows x64 jre-6u29-windows-x64.exe

___

 

Oracle Java SE Critical Patch Update Advisory - October 2011

- http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html#AppendixJAVA'>http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html#AppendixJAVA

"... contains 20 new security fixes for Oracle Java SE. 19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password...

... Supported Versions Affected: JDK and JRE 7, 6 Update 27 and before..."

___

 

JRE Multiple Flaws Let Remote Users Execute Arbitrary Code and Deny Service

- http://www.securitytracker.com/id/1026215

CVE Reference: CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3555, CVE-2011-3556, CVE-2011-3557, CVE-2011-3558, CVE-2011-3560, CVE-2011-3561

Date: Oct 19 2011

Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network.

Version(s): JDK and JRE 7; JDK and JRE 6 Update 27 and prior; JDK and JRE 5.0 Update 31 and prior; SDK and JRE 1.4.2_33 and prior.

... vendor has issued a fix... advisory is available at:

http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

 

- https://secunia.com/advisories/46512/

Release Date: 2011-10-19

Criticality level: Highly critical

Impact: Hijacking, Spoofing, Manipulation of data, Exposure of sensitive information, DoS, System access

Where: From remote

Solution Status: Vendor Patch

Software: Oracle Java JDK/JRE SE 1.7.x / 7.x, JDK/JRE 1.6.x / 6.x, JDK/JRE 1.5.x, JDK/JRE 1.4.x

Description: Multiple vulnerabilities have been reported in Oracle Java SE, which can be exploited by malicious users to disclose certain information and by malicious people to disclose potentially sensitive information, hijack a user's session, conduct DNS cache poisoning attacks, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.

... see the vendor's advisory for details...

http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

 

:ph34r: :ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

IBM Java - multiple vulns - update available

- https://secunia.com/advisories/46977/

Release Date: 2011-11-23

Criticality level: Highly critical

Impact: Exposure of sensitive information, DoS, System access

Where: From remote

Software: IBM Java 5.x ...

CVE Reference(s): CVE-2011-3545, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3552, CVE-2011-3554, CVE-2011-3556

Solution: Update to version SR13.

Original Advisory: http://www.ibm.com/developerworks/java/jdk/alerts/

 

> https://www.ibm.com/developerworks/java/jdk/

___

 

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3547

CVSS v2 Base Score: 5.0 (MEDIUM)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3552

CVSS v2 Base Score: 2.6 (LOW)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3545

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3548

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3549

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3554

Last revised: 10/30/2011

CVSS v2 Base Score: 10.0 (HIGH)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3556

CVSS v2 Base Score: 7.5 (HIGH)

 

:!: :ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Java 6u30 / 7u2 released

- http://www.oracle.com/technetwork/java/javase/6u30-relnotes-1394870.html

Dec. 12, 2011 - "... a notable bug fix for Java SE 6u30:

Area: JSSE: Runtime Synopsis: REGRESSION - 6u29 -breaks- ssl connectivity using TLS_DH_anon_WITH_AES_128_CBC_SHA . It is strongly encouraged that applications using JSSE (SSL/TLS) be upgraded to this release to have access to the latest changes that address this recent vulnerability: Under certain circumstances, Java SE 6u29* will incorrectly throw an IndexOutOfBoundsException or send an extra SSL/TLS packet..."

* http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7103725

Related: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389

Last revised: 12/13/2011

 

- http://www.oracle.com/technetwork/java/javase/7u2-relnotes-1394228.html

Dec. 12, 2011 - "... 7u2 does -not- add any fixes for security vulnerabilities beyond those in Java SE 7u1. Users who have Java SE 7u1 have the latest security fixes and do not need to upgrade to this release to be current on security fixes..."

 

Bug Fixes... in Java SE 6u30:

- http://www.oracle.com/technetwork/java/javase/2col/6u30bugfixes-1394936.html

Bug Fixes... in Java SE 7u2:

- http://www.oracle.com/technetwork/java/javase/2col/7u2bugfixes-1394661.html

 

Downloads: http://www.oracle.com/technetwork/java/javase/downloads/index.html

 

JRE 6u30: http://www.oracle.com/technetwork/java/javase/downloads/jre-6u30-download-1377142.html

 

JRE 7u2: http://www.oracle.com/technetwork/java/javase/downloads/jre-7u2-download-1377135.html

___

 

- https://krebsonsecurity.com/2011/12/security-updates-for-microsoft-windows-java/

December 13, 2011 - "... specific details of the flaws* fixed in this update..."

 

* Exploitable bugs fixed in update 30

- https://krebsonsecurity.com/wp-content/uploads/2011/12/java6update30notes.txt

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6761678

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6670868

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7041800

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6682380

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7103725

___

 

IBM Java updated...

- https://secunia.com/advisories/47464/

Release Date: 2012-01-09

Criticality level: Highly critical

Impact: Hijacking, Spoofing, Manipulation of data, Exposure of sensitive information, DoS, System access

Where: From remote

Software: IBM Java 1.4.x, IBM Java 6.x ...

Solution: Update to version 1.4.2 SR13-FP11 or 6.0.0 SR10.

Original Advisory: http://www.ibm.com/developerworks/java/jdk/alerts/

Oracle October 18 2011 CPU

... more information:

- https://secunia.com/advisories/46512/

Last Update: 2011-10-27

Criticality level: Highly critical

Oracle: http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

Java SE Critical Patch Update Advisory - October 2011

JDK and JRE 7 Java SE

JDK and JRE 6 Update 27 and earlier

JDK and JRE 5.0 Update 31 and earlier

SDK and JRE 1.4.2_33 and earlier

IBM: http://blog.watchfire.com/files/dnsp_port_exhaustion.pdf

 

IBM Security Bulletins - Quarterly Summaries

- http://www-03.ibm.com/security/secure-engineering/bulletins.html

"... Starting in 2012, IBM will post a summary of its Security Bulletins from the previous Quarter on the 2nd Tuesday of January, April, July and October. The next four dates are:

January 10, 2012

April 10, 2012

July 10, 2012

October 9, 2012".

 

IBM Product Security Incident Response Blog

- https://www.ibm.com/blogs/PSIRT

 

:!:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Java update advisory - Feb 2012

- http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

2012-February-17 Rev 2. Replaced CVE-2011-3571 with CVE-2012-0507

2012-February-14 Rev 1. Initial Release

2012-February-14 - "... Affected product releases and versions:

JDK and JRE 7 Update 2 and earlier, JDK and JRE 6 Update 30 and earlier, JDK and JRE 5.0 Update 33 and earlier, SDK and JRE 1.4.2_35 and earlier, JavaFX 2.0.2 and earlier, JavaFX...

>> http://www.oracle.com/technetwork/java/javase/downloads/index.html

"... Java SE 7u3 - This release includes security fixes... Java SE 6 Update 31 - This release includes security fixes..."

 

Java JRE 7u3:

- http://www.oracle.com/technetwork/java/javase/downloads/jre-7u3-download-1501631.html

Release Notes:

- http://www.oracle.com/technetwork/java/javase/7u3-relnotes-1481928.html

"... version number for this update release is 1.7.0_03-b04 (b05 in Windows, where "b" means "build"). The external version number is 7u3..."

 

Java JRE 6u31:

- http://www.oracle.com/technetwork/java/javase/downloads/jre-6u31-download-1501637.html

Release Notes:

- http://www.oracle.com/technetwork/java/javase/6u31-relnotes-1482342.html

"... version number for this update release is 1.6.0_31-b04 (b05 in Windows, where "b" means "build")..."

___

 

- http://www.securitytracker.com/id/1026687

CVE Reference:

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3563 - 6.4

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0497 - 10.0 (HIGH)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0498 - 10.0 (HIGH)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0499 - 10.0 (HIGH)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0500 - 10.0 (HIGH)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0501 - 5.0

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0502 - 6.4

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0503 - 7.5 (HIGH)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0504 - 9.3 (HIGH)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0505 - 7.5 (HIGH)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0506 - 4.3

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0508 - 10.0 (HIGH)

Date: Feb 14 2012

Impact: Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network

Version(s): 1.4.2_35 and prior, 5.0 Update 33 and prior; 6 Update 30 and prior; 7 Update 2 and prior...

The vendor's advisory is available at:

- http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

 

- https://secunia.com/advisories/48009/

Release Date: 2012-02-15

Criticality level: Highly critical

Impact: Manipulation of data, Exposure of sensitive information, DoS, System access

Where: From remote...

Original Advisory:

- http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

 

:!: :!:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Java exploit code available for recently patched vuln ...

ZDI-12-039: Oracle Java Web Start java-vm-args Command Argument Injection Remote Code Execution

- http://atlas.arbor.net/briefs/index#-2068343742

Severity: High Severity

Feb 24, 2012 - "Exploit code is available for a recently patched Java vulnerability.

Analysis: Oracle patched a series of Java security issues in February and at least one of these issues now has publicly available exploit code, as published in the Metasploit framework. While Metasploit is intended for authorized penetration testing purposes, attackers have no such scruples and will happily leverage freshly published exploit code to develop their own and incorporate the exploit into their malware kits. Such exploits also pay off for the attackers who launch targeted attacks, as many targets do not patch in a timely manner."

Source: http://www.zerodayinitiative.com/advisories/ZDI-12-039/

___

 

- https://isc.sans.edu/diary.html?storyid=12838

Last Updated: 2012-03-25 17:04:16 UTC - "... In slight modification of Oracle's own words: 'We highly recommend users remove all older versions of Java from your system. Keeping old and unsupported versions of Java on your system presents a serious security risk...' ..."

 

:!: :ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Critical Java hole being exploited on a large scale ...

- http://atlas.arbor.net/briefs/index#-1937641784

Severity: High Severity

Published: Wednesday, March 28, 2012 19:20

Java security vulnerability patched in February is now being used widely by criminals to install malware.

Analysis: Patch! Watch for outdated Java on the network as the presence of old Java User-Agents is often a sign that a system has been exploited and Java is now doing the attackers bidding, typically downloading something evil.

Source: http://h-online.com/-1485681

Update 29-03-12: "... Until an update is released that addresses the vulnerability, Mac OS X users can turn off Java. Users can disable Java via Java Preferences (Applications > Utilities > Java Preferences) by unchecking the installed version. Alternatively, users can disable Java in each of their browsers; in Apple's Safari browser, this can be done by unchecking the "Enable Java" and "Enable JavaScript" under the Security tab in Safari's Preferences..."

* http://www.h-online.com/open/news/item/Critical-Java-hole-being-exploited-on-a-large-scale-Update-1485681.html?view=zoom;zoom=2

___

 

- http://atlas.arbor.net/briefs/index#-51701177

Elevated Severity

March 30, 2012

Source: http://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp

 

Mac Flashback Exploiting Unpatched Java Vulnerability

- https://www.f-secure.com/weblog/archives/00002341.html

April 2, 2012

 

:grrr::ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

- http://www.oracle.com/technetwork/topics/security/alerts-086861.html

"... For Oracle Java SE Critical Patch Updates, the next three dates are:

12 June 2012

16 October 2012

19 February 2013 ..."

___

 

IBM Java 5 update released

- https://secunia.com/advisories/48915/

Release Date: 2012-04-20

Criticality level: Highly critical

Impact: Manipulation of data, Exposure of sensitive information, DoS, System access

Where: From remote

CVE Reference(s): CVE-2011-3389, CVE-2011-3557, CVE-2011-3560, CVE-2011-3563, CVE-2012-0498, CVE-2012-0499 CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507

Solution: Update to version 5.0 SR13-FP1.

Original Advisory: http://www.ibm.com/developerworks/java/jdk/alerts/

 

IBM Java 6 update released

- https://secunia.com/advisories/48913/

Criticality level: Highly critical

Impact: Manipulation of data, Exposure of sensitive information, DoS, System access

Where: From remote

CVE Reference(s): CVE-2011-3563, CVE-2011-5035, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507

Solution: Update to version 6 SR10-FP1.

Original Advisory: http://www.ibm.com/developerworks/java/jdk/alerts/

 

:!: :!:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Java v.6u32/v.7u4 released

> http://www.oracle.com/technetwork/java/javase/downloads/index.html

___

 

Java SE Runtime Environment 7u4 - Download

- http://www.oracle.com/technetwork/java/javase/downloads/jre-7u4-download-1591157.html

April 26, 2012

 

Release notes

- http://www.oracle.com/technetwork/java/javase/7u4-relnotes-1575007.html

"... Bug Fixes: Java SE 7u4 does -not- add any fixes for security vulnerabilities beyond those in Java SE 7u3..."

 

Bug Fixes - Java SE 7u4

- http://www.oracle.com/technetwork/java/javase/2col/7u4bugfixes-1579555.html

 

- http://h-online.com/-1562140

27 April 2012 - "The new Java Standard Edition 7 Update 4 is the first Oracle-sponsored Java release that has been made available for Mac OS X (Lion)... Java SE 7 Update 4 can be downloaded for Macs, as well as Windows and Linux..."

- http://www.oracle.com/technetwork/java/javase/downloads/jdk-7u4-downloads-1591156.html

___

 

Java SE Runtime Environment 6 Update 32 - Download

- http://www.oracle.com/technetwork/java/javase/downloads/jre-6u32-downloads-1594646.html

April 26, 2012

 

Release notes

- http://www.oracle.com/technetwork/java/javase/6u32-relnotes-1578471.html

 

Bug Fixes - Java SE 6u32

- http://www.oracle.com/technetwork/java/javase/2col/6u32bugfixes-1579554.html

 

Java 6 End of Life (EOL) Notice

- http://www.oracle.com/technetwork/java/eol-135779.html

After November 2012, Oracle will no longer post updates of Java SE 6 to its public download sites...

___

 

Oracle to bring Java security fixes directly to Mac user ...

- http://atlas.arbor.net/briefs/index#-1272909644

Severity: Elevated Severity

Published: Monday, April 30, 2012 16:24

Oracle is now providing a direct version of Java to OSX users.

Analysis: This is a positive development that will hopefully reduce OSX malware. The lag in patch time between Oracle and Apple has been a thorn in the side of security for some time and the pain of the recent Flashback trojan, the SabPub trojan, and now another OSX malware using the same Java security hole has been significant enough that users should migrate towards Oracle Java as soon as possible. Cyber criminals are aware that OSX is a viable platform for malware, and will have their eyes open for other gaps in coverage.

Source: http://arstechnica.com/apple/news/2012/04/oracle-updates-java-to-se-7-for-os-x-brings-full-jdk-support.ars

 

.

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Java v7u5 / v6 Update 33 released

- http://www.oracle.com/technetwork/java/javase/downloads/index.html

June 12, 2012

 

- http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html

"... contains 14 new security fixes for Oracle Java SE. 12 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."

 

Risk Matrix

- http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html#AppendixJAVA

7 Update 4 and before, 6 Update 32 and before, 5 Update 35 and before, 1.4.2_37 and before. JavaFX 2.1 and before...

 

Verify:

>> https://www.java.com/en/download/installed.jsp?detect=jre&try=1

 

Java SE 7u5 JRE

- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1637588.html

Changes in 1.7.0_5

- http://www.oracle.com/technetwork/java/javase/7u5-relnotes-1653274.html

 

Java SE 6 Update 33 JRE

- http://www.oracle.com/technetwork/java/javase/downloads/jre6-downloads-1637595.html

Changes in 1.6.0_33

- http://www.oracle.com/technetwork/java/javase/6u33-relnotes-1653258.html

___

 

URGENT BULLETIN: All E-Business Suite End-Users...

- https://blogs.oracle.com/stevenChan/entry/bulletin_disable_jre_auto_update

Update: June 14, 2012 - "To ensure that Java Users remain on a secure version, Windows systems that rely on auto-update will be auto-updated from JRE 6 to JRE 7. Until EBS is certified with JRE 7, EBS users should -not- rely on the windows auto-update mechanism for their client machines and should -manually- keep the JRE up to date with the latest versions of 6 on an ongoing basis..."

 

- http://h-online.com/-1618753

15 June 2012

___

 

- http://www.securitytracker.com/id/1027153

CVE Reference: CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1720, CVE-2012-1721, CVE-2012-1722, CVE-2012-1723, CVE-2012-1724, CVE-2012-1725, CVE-2012-1726

Jun 12 2012

Impact: Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network

Version(s): 1.4.2_37 and prior, 5.0 Update 35 and prior, 6 Update 32 and prior, 7 Update 4 and prior...

 

- https://secunia.com/advisories/49472/

Release Date: 2012-06-13

Criticality level: Highly critical

Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, DoS, System access

Where: From remote

Original Advisory: Oracle:

http://www.oracle.com/technetwork/topics/security/javacpujun2012verbose-1515971.html

 

:ph34r: :ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Java v7u6 / v6u34 released

- http://www.oracle.com/us/corporate/press/1735645

August 14, 2012

 

- http://www.oracle.com/technetwork/java/javase/downloads/index.html

 

Java SE 7u6 JRE

- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1637588.html

Changes in 1.7.0_6

- http://www.oracle.com/technetwork/java/javase/7u6-relnotes-1729681.html

Bug fixes

- http://www.oracle.com/technetwork/java/javase/2col/7u6-bugfixes-1733378.html

 

Java SE 6 Update 34 JRE

- http://www.oracle.com/technetwork/java/javase/downloads/jre6-downloads-1637595.html

Changes in 1.6.0_34

- http://www.oracle.com/technetwork/java/javase/6u34-relnotes-1729733.html

Bug fixes

- http://www.oracle.com/technetwork/java/javase/2col/6u34-bugfixes-1733379.html

 

Java 6 EOL extended to February 2013

- https://blogs.oracle.com/henrik/entry/java_6_eol_h_h

 

Verify: https://www.java.com/en/download/installed.jsp?detect=jre&try=1

___

 

- http://h-online.com/-1667714

15 August 2012

___

 

- http://nakedsecurity.sophos.com/2012/08/15/oracle-updates-java-claims-full-and-timely-updates-for-apple-users/

Aug 15, 2012 - "... the latest Java version from Oracle is 7u6, also known as 1.7.0_6. If you don't intend to develop Java programs yourself, stick to the JRE. It's much smaller than the JDK, which reduces what's known in trendy-speak as your attack surface area. That's always a good thing. This new Java version includes a longish list of bugfixes*. These include: a few ominous-sounding ones with more than a whiff of vulnerability about them, such as 7166498 - JVM crash in ClassVerifier; the risky-sounding 7155051 - DNS provider may return incorrect results; and the intriguingly sticky-sounding 7178177 - Debug spewage when applets start up. With that in mind, I suggest you update as soon as practicable."

* http://www.oracle.com/technetwork/java/javase/2col/7u6-bugfixes-1733378.html

 

:!:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

New critical Java flaw claimed

- http://www.theregister.co.uk/2012/09/26/gowdiak_claims_new_java_flaw/

26 Sep 2012- "Oracle's Java is making a play to wrest back the title of world's leakiest code from Internet Explorer, after Polish researcher Adam Gowdiak claimed another critical flaw exists in the product. The -new- claim is stated on the Full Disclosure mailing list where Gowdiak writes that the newly-found flaw impacts “all latest versions of Oracle Java SE software” and that it allows “a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7.” That's apparently worse than previous exploits, as they only hit Java 7..."

- http://arstechnica.com/security/2012/09/yet-another-java-flaw-allows-complete-bypass-of-security-sandbox/

Sep 25, 2012

 

Consider disabling Java* in your browser until the next update**.

 

* https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/

 

** https://isc.sans.edu/diary.html?storyid=14017

 

- http://www.oracle.com/technetwork/topics/security/alerts-086861.html

"For Oracle Java SE Critical Patch Updates, the next three dates are:

16 October 2012

19 February 2013

18 June 2013 ..."

___

 

Java v7u7 / v6u35 released

* http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-verbose-1835710.html

August 30, 2012

 

Risk Matrix

- http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html#AppendixJAVA

CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, CVE-2012-0547

 

- http://www.oracle.com/technetwork/java/javase/downloads/index.html

 

Java SE 7u7 JRE

- http://www.oracle.com/technetwork/java/javase/downloads/jre7u7-downloads-1836441.html

Changes in 1.7.0_7

- http://www.oracle.com/technetwork/java/javase/7u7-relnotes-1835816.html

"... Bug fixes: This release contains a security-in-depth fix. For more information, see Oracle Security Alert for CVE-2012-4681*..."

___

 

Java SE 6 Update 35 JRE

- http://www.oracle.com/technetwork/java/javase/downloads/jre6u35-downloads-1836473.html

Changes in 1.6.0_35

- http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html

"... Bug fixes: This release contains a security-in-depth fix. For more information, see Oracle Security Alert for CVE-2012-4681*..."

___

 

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4681 - 10.0 (HIGH)

Last revised: 09/01/2012 - "... as exploited in the wild in August 2012..."

 

:!: :!:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Java SE Critical Patch Update Advisory - October 2012

- http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html

Oct 16, 2012

 

Java JRE 7u9 released

- http://www.oracle.com/technetwork/java/javase/downloads/jre7u9-downloads-1859586.html

Oct 16, 2012

 

Release Notes

- http://www.oracle.com/technetwork/java/javase/7u9-relnotes-1863279.html

 

Java JRE 6 Update 37

- http://www.oracle.com/technetwork/java/javase/downloads/jre6u37-downloads-1859589.html

Oct 16, 2012

 

Release Notes

- http://www.oracle.com/technetwork/java/javase/6u37-relnotes-1863283.html

 

Java - October 2012 Risk Matrices

- http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html#AppendixJAVA

"This Critical Patch Update contains 30 new security fixes for Oracle Java SE. 29 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."

___

 

- http://atlas.arbor.net/briefs/index#1321617866

Severity: High Severity

October 17, 2012

Oracle releases Java security patches that should be applied as soon as possible.

Analysis: Given the damage that has been caused by malware infections and system intrusions caused by vulnerable versions of Java being exploited it is likely that the security holes patched herein will also be used by cyber-criminals, nation-state attackers and others in their quest to compromise systems and pursue a malicious agenda. Limiting the scope of browser-based Java to one specific browser that's only used on trusted applications and also wrapping Java on any Microsoft platform with a technology such as EMET to reduce the risk of future exploitation can help provide additional protection for this widely attacked software.

 

- http://www.securitytracker.com/id/1027672

CVE Reference: CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4416, CVE-2012-5067, CVE-2012-5068, CVE-2012-5069, CVE-2012-5070, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5074, CVE-2012-5075, CVE-2012-5076, CVE-2012-5077, CVE-2012-5078, CVE-2012-5079, CVE-2012-5080, CVE-2012-5081, CVE-2012-5082, CVE-2012-5083, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5089

Oct 17 2012

Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network

Version(s): 1.4.2_38 and prior, 5.0 Update 36 and prior, 6 Update 35, 7 Update 7 and prior

Impact: A remote user can take full control of the target system.

A remote user can access and modify data on the target system.

A remote user can cause partial denial of service conditions on the target system.

Solution: The vendor has issued a fix, described in the October 2012 Critical Patch Update advisory.

The vendor's advisory is available at:

http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html

 

- https://secunia.com/advisories/50949/

Release Date: 2012-10-17

Criticality level: Highly critical

Impact: Manipulation of data, Exposure of sensitive information, DoS, System access

Where: From remote

... vulnerabilities are reported in the following products:

* JDK and JRE 7 Update 7 and earlier.

* JDK and JRE 6 Update 35 and earlier.

* JDK and JRE 5.0 Update 36 and earlier.

* SDK and JRE 1.4.2_38 and earlier.

* JavaFX 2.2 and earlier.

Solution: Apply updates.

Original Advisory: Oracle:

http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html

___

 

- http://javatester.org/

Oct 17, 2012 - "... not all known bugs were fixed..."

 

- http://blogs.computerworld.com/application-security/21173/ugly-side-latest-java-updates

Oct 18, 2012 -"... the ugly stuff. The biggest issue is that Oracle didn't patch all the known problems with Java. As a result, even these latest and greatest editions of Java remain vulnerable to a known critical flaw. Adam Gowdiak is the security researcher who found many of the recent flaws in Java. His last flaw became public knowledge on September 25th. Since the problem was exploitable on Java versions 5, 6 and 7, Gowdiak estimated that it put 1 billion users at risk. A couple security organizations, Heise and Kaspersky, have been in contact with Gowdiak about how well the latest versions of Java patch the flaws he discovered. Gowdiak told Heise Security "that a critical security hole that allows attackers to break out of the Java sandbox continues to exist in Java". He claims that Oracle told him that the just-released package of 30 bug fixes was "already in its final testing phase" when he reported the September 25th flaw. In other words, he was too late to the party. He told Kaspersky the same thing. The flaw that puts a billion users at risk won't be patched until February 19, 2013. This is not to suggest, in any way, ignoring the latest updates to Java. Just recognize that they make you safer (30 bugs were fixed) rather than safe..."

 

:!: :!:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

 

Java 7u10/6u38 released

- http://www.oracle.co...oads/index.html

Dec 11, 2012

 

7u10 Downloads:

- http://www.oracle.co...ds-1880261.html

 

Bug Fixes - JDK 7u10

> http://www.oracle.co...es-1881008.html

 

- http://www.oracle.co...es-1880995.html

___

 

- http://h-online.com/-1770629

17 Dec 2012

 

> http://docs.oracle.c...t-security.html

 

> http://docs.oracle.c...s/jweb/jcp.html

 

- https://krebsonsecurity.com/2012/12/shocking-delay-in-fixing-adobe-shockwave-bug/

Dec 19, 2012 - "... There are bug fixes with these releases, but no official security updates. However, the Java 7 update does include some new functionality designed to make it easier to disable Java in the browser..."

___

 

6 Update 38 Downloads:

- http://www.oracle.co...ds-1877409.html

 

Bug Fixes - JDK 6u38

- http://www.oracle.co...es-1880999.html

 

- http://www.oracle.co...es-1880997.html

 

- http://www.oracle.co...eol-135779.html

"... After February 2013, Oracle will no longer post updates of Java SE 6 to its public download sites. Existing Java SE 6 downloads already posted as of February 2013 will remain accessible in the Java Archive on Oracle Technology Network. Developers and end-users are encouraged to update to more recent Java SE versions..."

 

:!:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Java v7u11 released - Download
- http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
Jan 13, 2013

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html
"... This release contains fixes for security vulnerabilities. For more information, see Oracle Security Alert for CVE-2013-0422..."
* http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

> http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html#AppendixJAVA
2013-January 13

- https://blogs.oracle.com/security/entry/security_alert_for_cve_2013
Jan 13, 2013 - "... The vulnerabilities addressed with this Security Alert are CVE-2013-0422 and CVE-2012-3174. These vulnerabilities, which only affect Oracle Java 7 versions, are both remotely exploitable without authentication and have received a CVSS Base Score of 10.0. Oracle recommends that this Security Alert be applied as soon as possible because these issues may be exploited “in the wild” and some exploits are available in various hacking tools..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 - 10.0 (HIGH)
"... vulnerability in Oracle Java 7 before Update 11..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3174 - 10.0 (HIGH)
"... vulnerability in Oracle Java 7 before Update 11..."

:ph34r: :ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Java v7u13 released
- http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
Feb 1, 2013

JRE 7u13
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html

- https://www.java.com/en/download/manual.jsp

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u13-relnotes-1902884.html
This release contains fixes for security vulnerabilities. For more information, see Oracle Java SE Critical Patch Update Advisory*.

* http://www.oracle.com/technetwork/topics/security/javacpufeb2013verbose-1841196.html

- http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html#AppendixJAVA

- https://blogs.oracle.com/security/entry/february_2013_critical_patch_update
Feb 01, 2013 - "... contains fixes for -50- security vulnerabilities. 44 of these vulnerabilities only affect client deployment of Java..."

Oracle Java SE Critical Patch Update Advisory - February 2013
- http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
Note: The original Critical Patch Update for Java SE – February 2013 was scheduled to be released on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update...

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1489 - 10.0 (HIGH)
___

JRE 6u39
- http://www.oracle.com/technetwork/java/javase/downloads/jre6downloads-1902815.html

- http://www.oracle.com/technetwork/java/javase/6u39-relnotes-1902886.html
___

- http://www.securitytracker.com/id/1028071
CVE Reference: CVE-2012-1541, CVE-2012-1543, CVE-2012-3213, CVE-2012-3342, CVE-2012-4301, CVE-2012-4305, CVE-2013-0351, CVE-2013-0409, CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0431, CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0436, CVE-2013-0437, CVE-2013-0438, CVE-2013-0439, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0444, CVE-2013-0445, CVE-2013-0446, CVE-2013-0447, CVE-2013-0448, CVE-2013-0449, CVE-2013-0450, CVE-2013-1472, CVE-2013-1473, CVE-2013-1474, CVE-2013-1475, CVE-2013-1476, CVE-2013-1477, CVE-2013-1478, CVE-2013-1479, CVE-2013-1480, CVE-2013-1481, CVE-2013-1482, CVE-2013-1483, CVE-2013-1489
Feb 1 2013
Impact: Denial of service via network, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 5.0 Update 38 and prior; 6 Update 38 and prior; 7 Update 11 and prior...
Solution: The vendor has issued a fix as part of the Oracle Java SE Critical Patch Update Advisory for February 2013. The vendor's advisory is available at:
- http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

- http://www.kb.cert.org/vuls/id/858729
Last Updated: 05 Feb 2013
___

- https://blogs.oracle.com/security/entry/updates_to_february_2013_critical#
Update Feb 08, 2013: "... As a result of the accelerated release of the Critical Patch Update, Oracle did not include a small number of fixes initially intended for inclusion in the February 2013 Critical Patch Update for Java SE. Oracle is therefore planning to release an updated version of the February 2013 Critical Patch Update on the initially scheduled date. This updated February 2013 Critical Patch Update will be published on February 19th..."

:ph34r: :ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

- https://secure.dslreports.com/forum/r28039102-
2013-02-23 - "With the last 2 Java updates on my XP box (7_13 & 7_15), I received the offer of a McAfee Security Scan which I declined. The same updates on my Vista box offered the installation of the Ask.com toolbar which I also declined..."

 

- https://encrypted.google.com/
Tag-along software installs
"... About 35,500,000 results..." < 3.15.2013
___

IBM Java Multiple Vulnerabilities
- https://secunia.com/advisories/52308/
Release Date: 2013-03-01
Criticality level: Highly critical
Impact: Privilege escalation, DoS, System access, Manipulation of data, Exposure of sensitive information
Where: From remote...
Original Advisory: http://www.ibm.com/developerworks/java/jdk/alerts/
___

Java 7u15 released - JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
Feb 19, 2013

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u15-relnotes-1907738.html

JDK
- http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html

Java v7 Update 15
- https://www.java.com/en/download/manual.jsp

Risk Matrix
- http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html#AppendixJAVA

- https://blogs.oracle.com/security/entry/updated_february_2013_critical_patch
Feb 19, 2013
___

Java JRE v6 Update 41
- http://www.oracle.com/technetwork/java/javase/downloads/jre6downloads-1902815.html
___

- http://www.securitytracker.com/id/1028155
CVE Reference: CVE-2013-1484, CVE-2013-1485, CVE-2013-1486, CVE-2013-1487
Feb 19 2013
Impact: Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 1.4.2_41 and prior, 5.0 Update 39 and prior, 6 Update 39, 7 Update 13 and prior

:ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

There are a dozen known flaws in Java ...
- http://blogs.computerworld.com/malware-and-vulnerabilities/21883/there-are-dozen-known-flaws-java
March 10, 2013 - "The last time Oracle released a new version of Java was less than a week ago (March 4th). Yet, there are already a dozen known, un-patched bugs in this latest release (Java 7 update 17)..."
___

Java JRE 7u17 released
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
Mar 4, 2013

- http://www.oracle.com/technetwork/java/javase/7u17-relnotes-1915289.html

- https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493
Mar 4, 2013 - "Today Oracle released Security Alert CVE-2013-1493 to address two vulnerabilities affecting Java running in web browsers (CVE-2013-1493 and CVE-2013-0809). One of these vulnerabilities (CVE-2013-1493) has recently been reported as being actively exploited by attackers..."

Risk Matrix
- http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html#AppendixJAVA

JDK 7u17
- http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
___

Java 6 Update 43
- http://www.oracle.com/technetwork/java/javase/downloads/jre6downloads-1902815.html

- https://secunia.com/advisories/52451/
Last Update: 2013-03-05
Criticality level: Extremely critical
Impact: System access
Where: From remote...
CVE Reference(s): CVE-2013-0809, CVE-2013-1493
Solution: Update to a fixed version...
___

- http://seclists.org/fulldisclosure/2013/Mar/38
Mar 4, 2013 - "... 5 -new- security issues were discovered in Java SE 7..."

:ph34r: :ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Oracle Java SE Critical Patch Update Pre-Release Announcement - April 2013
- http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Apr 15, 2013 - "This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Java SE Critical Patch Update for April 2013, which will be released on Tuesday, April 16, 2013... this Critical Patch Update contains -42- new security vulnerability fixes..."

:ph34r: :ph34r:

Share this post


Link to post
Share on other sites

FYI...

- http://www.symantec.com/connect/blogs/java-exploit-cve-2013-2423-coverage
Updated: 26 Apr 2013 - "... this vulnerability is now seen as a high priority... Please be aware of -malware- that masquerades as software updates and patches - only download the patch from the official website."

Current version always shown here:
- https://www.java.com/en/download/manual.jsp
___

Java JRE 7u21
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
April 16, 2013

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u21-relnotes-1932873.html

- https://blogs.oracle.com/security/entry/april_2013_critical_patch_update1
Apr 16, 2013

Oracle Java SE Critical Patch Update Advisory - April 2013
- http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html#AppendixJAVA
April 16, 2013 - "This Critical Patch Update contains 42 new security fixes for Oracle Java SE. 39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."

Recommended Version 7 Update 21
- https://www.java.com/en/download/manual.jsp

 

- https://krebsonsecurity.com/2013/04/java-update-plugs-42-security-holes/
April 16, 2013 - "... contains 42 new security fixes for Oracle Java SE. A majority of these flaws are browse-to–a-hacked-site-and-get-infected vulnerabilities..."

Java JRE 6 Update 45
- http://www.oracle.com/technetwork/java/javase/downloads/jre6downloads-1902815.html
___

Java 7 Update 21 is available - Watch for Behaviour Changes
- https://isc.sans.edu/diary.html?storyid=15620
2013-04-16 - "... Oracle has significantly changed how Java runs with this version. Java now requires code signing, and will pop up brightly coloured dialogue boxes if your code is not signed. They now alert on unsigned, signed-but-expired and self-signed certificates. We'll even need to click "OK" when we try to download and execute signed and trusted Java... graphics you can expect to see once you update are:
> https://isc.sans.edu/diaryimages/images/expired_cert.jpg
> https://isc.sans.edu/diaryimages/images/unsigned_cert.jpg
Full details on the new run policy can be found here ==>
- https://www.java.com/en/download/help/appsecuritydialogs.xml
And more information can be found here ==>
- http://www.oracle.com/technetwork/java/javase/tech/java-code-signing-1915323.html "

Dangerous defaults let certificates stay unchecked.
- http://www.h-online.com/security/news/item/Java-7-Update-21-closes-security-holes-and-restricts-applets-1843558.html?view=zoom;zoom=2
17 April 2013

___

- http://www.securitytracker.com/id/1028434
CVE Reference: CVE-2013-0401, CVE-2013-0402, CVE-2013-1488, CVE-2013-1491, CVE-2013-1518, CVE-2013-1537, CVE-2013-1540, CVE-2013-1557, CVE-2013-1558, CVE-2013-1561, CVE-2013-1563, CVE-2013-1564, CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, CVE-2013-2394, CVE-2013-2414, CVE-2013-2415, CVE-2013-2416, CVE-2013-2417, CVE-2013-2418, CVE-2013-2419, CVE-2013-2420, CVE-2013-2421, CVE-2013-2422, CVE-2013-2423, CVE-2013-2424, CVE-2013-2425, CVE-2013-2426, CVE-2013-2427, CVE-2013-2428, CVE-2013-2429, CVE-2013-2430, CVE-2013-2431, CVE-2013-2432, CVE-2013-2433, CVE-2013-2434, CVE-2013-2435, CVE-2013-2436, CVE-2013-2438, CVE-2013-2439, CVE-2013-2440

Apr 16 2013
Impact: Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 5.0 Update 41, 6 Update 43, 7 Update 17; and prior versions...
Solution: The vendor has issued a fix (6 Update 45, 7 Update 21)...
___

- http://www.f-secure.com/weblog/archives/00002544.html
April 23, 2013 - "A few days after Oracle released a critical patch, CVE-2013-2423* is found to (have) already been exploited. Upon checking the history, the exploitation seems to have begun on April 21st and is still actively happening... the Metasploit module was published on the 20th... the exploit was seen in the wild the day after..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2423

:ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Java users at risk ...
- http://community.websense.com/blogs/securitylabs/archive/2013/06/04/majority-of-users-still-vulnerable-to-java-exploits.aspx
4 Jun 2013 - "... collecting telemetry... to provide insight into usage of the most recent version of Java... almost 93% of users are still not patched to the most recent version of Java. This leaves the majority of users still vulnerable to the dangers of exploit code already in use in the wild... So 1 month after release, the remaining 92.8% of users remain vulnerable to at least one exploit in the wild... the April 2013 Java Critical Patch Update contained 42 new security fixes, of which 39 may be remotely exploitable without authentication. We saw that on April 20, 2013, to illustrate the danger of just one of these 39 remote execution vulnerabilities, Metasploit published a module to exploit a vulnerability in CVE-2013-2423*. We have observed this particular exploit code incorporated into exploit kits and used in the wild..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2423

Java JRE 7u21
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
April 16, 2013

Recommended Version 7 Update 21
- https://www.java.com/en/download/manual.jsp

- https://krebsonsecurity.com/2013/04/java-update-plugs-42-security-holes/
April 16, 2013 - "... contains 42 new security fixes for Oracle Java SE. A majority of these flaws are browse-to–a-hacked-site-and-get-infected vulnerabilities..."

:ph34r: :ph34r:

Share this post


Link to post
Share on other sites

FYI...

Java JRE 7u25
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
June 18, 2013

- http://www.oracle.com/technetwork/java/javase/downloads/index.html

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html

- http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
"... This Critical Patch Update contains 40 new security fixes across Java SE products of which 4 are applicable to server deployments of Java..."

Java SE Risk Matrix
- http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html#AppendixJAVA

- http://www.oracle.com/technetwork/topics/security/javacpujun2013verbose-1899853.html

- https://blogs.oracle.com/security/entry/june_2013_critical_patch_update
Jun 18, 2013

Recommended Version 7 Update 25
- https://www.java.com/en/download/manual.jsp
___

- http://www.securitytracker.com/id/1028679
CVE Reference: CVE-2013-1500, CVE-2013-1571, CVE-2013-2400, CVE-2013-2407, CVE-2013-2412, CVE-2013-2437, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444, CVE-2013-2445, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2449, CVE-2013-2450, CVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457, CVE-2013-2458, CVE-2013-2459, CVE-2013-2460, CVE-2013-2461, CVE-2013-2462, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2467, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-3743, CVE-2013-3744
Jun 18 2013
Impact: Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, Root access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 5.0 Update 45, 6 Update 45, 7 Update 21; and prior versions ...
Solution: The vendor has issued a fix (7 Update 25).

- https://secunia.com/advisories/53846/
Release Date: 2013-06-19
Criticality level: Highly critical
Impact: Spoofing, Manipulation of data, Exposure of sensitive information, Privilege escalation, DoS, System access
Where: From remote
... vulnerabilities are reported in the following products:
* JDK and JRE 7 Update 21 and prior
* JDK and JRE 6 Update 45 and prior
* JDK and JRE 5 Update 45 and prior
Solution: Apply updates...
___

Less Than 1 Percent Of Enterprises Run Newest Version Of Java
Most businesses have multiple, outdated versions of the app on their endpoints, new report finds
- http://www.darkreading.com/vulnerability/write-once-pwn-anywhere-less-than-1-per/240158496?printer_friendly=this-page
July 18, 2013 - "... More than 90 percent of organizations are running a version of Java that's at least five years old, and 82 percent of endpoints run Java version 6, according to a new report by Bit9 that investigated Java installations in the enterprise. There are an average of 1.6 versions of Java on every endpoint, and nearly half of all endpoints have more than two versions of the application. Fewer than 1 percent run the newest version of Java: version 7 Update 25, Bit9 found... why don't enterprises merely purge older versions of Java? It's the old legacy application problem. Applications that are tied to a specific version of Java could lose functionality if only the new version of Java were running..."

:ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Java 6 0-Day exploit-in-the-wild
- https://community.qualys.com/blogs/laws-of-vulnerabilities/2013/08/26/java-6-0-day-exploit-in-the-wild
Aug 26, 2013 - "CVE-2013-2463 is a vulnerability in the Java 2D subcomponent, that was addressed by Oracle in the June 2013 Critical Patch Update for Java 7. Java 6 (including the latest u45) has the same vulnerability, as Oracle acknowledges in the CPU, but since Java 6 has become unsupported as of its End-of-Life in April 2013, there is no patch for the vulnerability... this time, things have become a bit more serious. As Matthew Schwartz reports in Informationweek*, F-Secure has seen exploits for this vulnerability in Java 6 in the wild. Further they have seen it included in the Neutrino exploit kit, which guarantees that it will find widespread adoption. In addition, we still see very high rates of Java 6 installed (a bit over 50%), which means many organizations are vulnerable..."
* https://www.informationweek.com/security/vulnerabilities/hackers-target-java-6-with-security-expl/240160443

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2463 - 10.0 (HIGH)
___

- https://community.qualys.com/blogs/laws-of-vulnerabilities/2013/08/26/java-6-0-day-exploit-in-the-wild
Comments: "... OpenJDK 6 remains supported and actively patched for security flaws. An OpenJDK 6 patch for CVE-2013-2463 is available":
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-July/023941.html
___

- http://blog.trendmicro.com/trendlabs-security-intelligence/java-native-layer-exploits-going-up/
Aug 28, 2013 - "... We urge users to carefully evaluate their usage of Java is necessary and ensure that copies of Java that are used are updated, to reduce exposure to present and future Java flaws."
___

- http://krebsonsecurity.com/2013/09/researchers-oracles-java-security-fails/
4 Sep 2013
* http://krebsonsecurity.com/wp-content/uploads/2013/09/javaprompt.png

- https://www.cert.org/blogs/certcc/2013/04/dont_sign_that_applet.html

- http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/

:ph34r: :ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Java JRE 7u45 released
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html

- http://www.oracle.com/technetwork/java/javase/downloads/index.html
"This release includes important security fixes. Oracle strongly recommends that all Java SE 7 users upgrade to this release..."

- https://blogs.oracle.com/java/entry/java_se_7_update_45
Oct 15, 2013

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u45-relnotes-2016950.html

Recommended Version 7 Update 45
- https://www.java.com/en/download/manual.jsp

- http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html#AppendixJAVA
"This Critical Patch Update contains -51- new security fixes for Oracle Java SE. 50 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."

- https://secunia.com/advisories/55315/
Release Date: 2013-10-16
Criticality: Highly Critical
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
Solution Status: Vendor Patch
CVE Reference(s): CVE-2013-3829, CVE-2013-4002, CVE-2013-5772, CVE-2013-5774, CVE-2013-5775,
CVE-2013-5776, CVE-2013-5777, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783,
CVE-2013-5784, CVE-2013-5787, CVE-2013-5788, CVE-2013-5789, CVE-2013-5790, CVE-2013-5797, CVE-2013-5800, CVE-2013-5801, CVE-2013-5802, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5805, CVE-2013-5806, CVE-2013-5809, CVE-2013-5810, CVE-2013-5812, CVE-2013-5814,
CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5838,
CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5844, CVE-2013-5846, CVE-2013-5848,
CVE-2013-5849, CVE-2013-5850, CVE-2013-5851, CVE-2013-5852, CVE-2013-5854
Original Advisory: Oracle:
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html#AppendixJAVA
http://www.oracle.com/technetwork/topics/security/cpuoct2013verbose-1899842.html#JAVA
___

- http://krebsonsecurity.com/2013/10/java-update-plugs-51-security-holes/
Oct. 16, 2013 - "... seriously consider removing Java altogether. I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants..."
___

- https://isc.sans.edu/diary.html?storyid=16811
Last Updated: 2013-10-15 20:17:01 UTC - "... Oracle is now on a quarterly update schedule, starting with this version. Going forward, expect regular updates to be released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
14 January 2014
15 April 2014
15 July 2014
14 October 2014 ..."

:ph34r: :ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Java JRE 7u51 released
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
Jan 14, 2014

Java SE Risk Matrix
- http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixJAVA

- http://www.oracle.com/technetwork/java/javase/downloads/index.html
"This release includes important security fixes. Oracle strongly recommends that all Java SE 7 users upgrade to this release..."

- https://blogs.oracle.com/java/entry/java_se_7_update_51
"... important security fixes. Oracle strongly recommends that all Java SE 7 users upgrade to this release..."

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u51-relnotes-2085002.html

Recommended Version 7 Update 51
- https://www.java.com/en/download/manual.jsp
___

- http://www.securitytracker.com/id/1029608
CVE Reference: CVE-2013-5870, CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5893, CVE-2013-5895, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5902, CVE-2013-5904, CVE-2013-5905, CVE-2013-5906, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0382, CVE-2014-0385, CVE-2014-0387, CVE-2014-0403, CVE-2014-0408, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0418, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428
Jan 14 2014
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): prior to 7 Update 51...

- https://secunia.com/advisories/56485/
Release Date: 2014-01-15
Criticality: Highly Critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access...
___

Java Primary Cause of 91% of Attacks
- http://www.eweek.com/security/java-primary-cause-of-91-percent-of-attacks-cisco.html
2014-01-16 - "... no one technology was more abused or more culpable that Java, according to Cisco's latest annual security report*... What that means is that the final payload in observed attacks was a Java exploit..."
* http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html
"... 91% of web exploits target Java..."

:ph34r: :ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

IBM Java multiple vulns
- https://secunia.com/advisories/56594/
Release Date: 2014-01-30
Criticality: Highly Critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access...
For more information: https://secunia.com/SA56485/
... vulnerabilities are reported in versions prior to 5.0 SR16-FP5, 6 SR15-FP1, 6.0.1 SR7-FP1, 7 SR6-FP1, and 7R1 SR1.
Solution: Update to version 5.0 SR16 FP5, 6 SR15-FP1, 6.0.1 SR7-FP1, 7 SR6-FP1, or 7R1 SR1.
Original Advisory:
- http://www.ibm.com/developerworks/java/jdk/alerts/
- http://www.ibm.com/support/docview.wss?uid=swg21662968

:ph34r: :ph34r:

Share this post


Link to post
Share on other sites

FYI...

Java SE 8
- http://www.oracle.com/technetwork/java/javase/downloads/index.html
Mar 18, 2014

Java SE 8 Now Available
- https://blogs.oracle.com/java/entry/java_se_embedded_8

JRE 8
- http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

JDK 8 Release Notes
- http://www.oracle.com/technetwork/java/javase/8train-relnotes-latest-2153846.html
"The Java Platform, Standard Edition 8 Development Kit (JDK 8 ) is a feature release of the Java SE platform. It contains new features and enhancements in many functional areas... links to release information about enhancements, changes, bugs, installation, runtime deployment, and documentation. Release Notes files are located on our website only and are not in the documentation download bundle, unless otherwise noted..."

Known Issues for JDK 8
- http://www.oracle.com/technetwork/java/javase/8-known-issues-2157115.html
___

Recommended Version 7 Update 51
- https://www.java.com/en/download/manual.jsp

:ph34r:

Share this post


Link to post
Share on other sites

FYI...

Java SE 8u5
- http://www.oracle.com/technetwork/java/javase/downloads/index.html
Apr 15, 2014

Release Notes
- http://www.oracle.com/technetwork/java/javase/8train-relnotes-latest-2153846.html

Oracle Java SE Risk Matrix
- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixJAVA
___

Recommended Version 7 Update 55
- https://www.java.com/en/download/manual.jsp

Release Notes - 7u55
- http://www.oracle.com/technetwork/java/javase/7u55-relnotes-2177812.html
"... This JRE (version 7u55) will expire with the release of the next critical patch update scheduled for July 15, 2014..."
___

- https://secunia.com/advisories/57932/
Release Date: 2014-04-16
Criticality: Highly Critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
CVE Reference(s): CVE-2013-6629, CVE-2013-6954, CVE-2014-0429, CVE-2014-0432, CVE-2014-0446, CVE-2014-0448, CVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0454, CVE-2014-0455, CVE-2014-0456, CVE-2014-0457, CVE-2014-0458, CVE-2014-0459, CVE-2014-0460, CVE-2014-0461, CVE-2014-0463, CVE-2014-0464, CVE-2014-1876, CVE-2014-2397, CVE-2014-2398, CVE-2014-2401, CVE-2014-2402, CVE-2014-2403, CVE-2014-2409, CVE-2014-2410, CVE-2014-2412, CVE-2014-2413, CVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2422, CVE-2014-2423, CVE-2014-2427, CVE-2014-2428
... vulnerabilities are reported in the following products:
* JDK and JRE 7 Update 51 and prior
* JDK and JRE 6 Update 71 and prior
* JDK and JRE 5 Update 61 and prior
* JDK and JRE 8
Solution: Apply updates...
Original Advisory:
- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixJAVA

:ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Java JRE 7u60 released
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
May 28, 2014

Release Notes
- http://www.oracle.com/technetwork/java/javase/7u60-relnotes-2200106.html
... notable bug fixes in this release:
Area: security-libs/java.security
Synopsis: Realm.getRealmsList returns realms list in wrong order...

Bug fixes included in JDK 7u60 release
- http://www.oracle.com/technetwork/java/javase/2col/7u60-bugfixes-2202029.html
___

Recommended Version 7 Update 60
- https://www.java.com/en/download/manual.jsp

:ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Java 7u65 released
- http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html
July 15, 2014

Java 8u11
- http://www.oracle.com/technetwork/java/javase/downloads/index.html

Java SE Risk Matrix
- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html#AppendixJAVA
"... contains 20 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication..."
___

Recommended Version 7 Update 65
- https://www.java.com/en/download/manual.jsp

Java Uninstall Tool
- https://www.java.com/en/download/faq/uninstaller_toolinfo.xml
"... simplifying the process of finding and uninstalling older versions of Java. The Uninstall tool shows you a list of the Java versions on your computer and then removes those that are out of date..."
- https://www.java.com/en/download/uninstallapplet.jsp
___

- http://www.securitytracker.com/id/1030577
CVE Reference: CVE-2014-2483, CVE-2014-2490, CVE-2014-4208, CVE-2014-4209, CVE-2014-4216, CVE-2014-4218, CVE-2014-4219, CVE-2014-4220, CVE-2014-4221, CVE-2014-4223, CVE-2014-4227, CVE-2014-4244, CVE-2014-4247, CVE-2014-4252, CVE-2014-4262, CVE-2014-4263, CVE-2014-4264, CVE-2014-4265, CVE-2014-4266, CVE-2014-4268
Jul 15 2014
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 5.0u65, Java SE 6u75, Java SE 7u60, Java SE 8u5; and prior versions...
___

- https://atlas.arbor.net/briefs/index#-1227693199
High Severity
17 Jul 2014

:ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Java 7u67 patch released
- https://blogs.oracle.com/java-platform-group/entry/java_7_update_67_patch
Aug 04, 2014 - "The recent Java 7 update 65 contained an issue that prevents some Applet and Web Start applications from launching. As a result, we have released Java 7 update 67 to restore the functionality for affected users..."

Recommended Version 7 Update 67
- https://www.java.com/en/download/manual.jsp

:ph34r: :ph34r:

Share this post


Link to post
Share on other sites

FYI...

Java 8u25 released
- http://www.oracle.com/technetwork/java/javase/downloads/index.html
Oct 14, 2014 - "This release includes important security fixes. Oracle strongly recommends that all Java SE 8 users upgrade to this release."

Release Notes
- http://www.oracle.com/technetwork/java/javase/8u25-relnotes-2296185.html

Java JRE 8u25 downloads
- http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

Java JDK 8u25 downloads
- http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html

Recommended Version 8 Update 25
- https://www.java.com/en/download/manual.jsp

... if you still need to use Java at all. If not - uninstall it!
___

- http://www.securitytracker.com/id/1031035
CVE Reference: CVE-2014-0050, CVE-2014-2478, CVE-2014-4289, CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4293, CVE-2014-4294, CVE-2014-4295, CVE-2014-4296, CVE-2014-4297, CVE-2014-4298, CVE-2014-4299, CVE-2014-4300, CVE-2014-4301, CVE-2014-4310, CVE-2014-6452, CVE-2014-6453, CVE-2014-6454, CVE-2014-6455, CVE-2014-6467, CVE-2014-6483, CVE-2014-6537, CVE-2014-6538, CVE-2014-6542, CVE-2014-6544, CVE-2014-6545, CVE-2014-6546, CVE-2014-6547, CVE-2014-6560, CVE-2014-6563, CVE-2014-6513, CVE-2014-6532, CVE-2014-6503, CVE-2014-6456, CVE-2014-6562, CVE-2014-6485, CVE-2014-6492, CVE-2014-6493, CVE-2014-4288, CVE-2014-6466, CVE-2014-6458, CVE-2014-6468, CVE-2014-6506, CVE-2014-6511, CVE-2014-6476, CVE-2014-6515, CVE-2014-6504, CVE-2014-6519, CVE-2014-6517, CVE-2014-6531, CVE-2014-6512, CVE-2014-6457, CVE-2014-6527, CVE-2014-6502, CVE-2014-6558
Oct 15 2014
Impact: Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via local system
Fix Available: Yes Vendor Confirmed: Yes
Description: Multiple vulnerabilities were reported in Oracle Java. A remote or local user can obtain elevated privileges on the target system. A remote user can partially access and modify data...
Solution: The vendor has issued a fix as part of the Oracle Critical Patch Update Advisory - October 2014.
The vendor's advisory is available at:
- http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

>> http://www.oracle.com/technetwork/topics/security/cpuoct2014verbose-1972962.html#JAVA

:ph34r: :ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Java 8u31 released
- http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
Jan 20, 2015

 

Release notes
- http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html

Bug Fixes
- http://www.oracle.com/technetwork/java/javase/2col/8u31-bugfixes-2389095.html

JRE Downloads
- http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

Oracle Java SE Risk Matrix
- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixJAVA
Jan 20, 2015

Recommended Version 8 Update 31
- https://www.java.com/en/download/manual.jsp
Jan 20, 2015

... -if- you still need to use Java at all. If not - uninstall it!

- https://blogs.oracle.com/security/entry/january_2015_critical_patch_update
Jan 20, 2015 - "... Organizations should disable the use of all versions of SSL as they can no longer rely on SSL to ensure secure communications between systems. Customers should update their custom code to switch to a more resilient protocol (e.g., TLS 1.2). They should also expect that all versions of SSL be disabled in all Oracle software moving forward. A manual configuration change can allow Java SE clients and server endpoints, which have been updated with this Critical Patch Update, to continue to temporarily use SSL v3.0. However, Oracle strongly recommends organizations to phase out their use of SSL v3.0 as soon as possible..."

>> https://www.ssllabs.com/ssltest/viewMyClient.html
___

- http://www.securitytracker.com/id/1031580
CVE Reference: CVE-2014-6549, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0400, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412, CVE-2015-0413, CVE-2015-0421, CVE-2015-0437
Jan 20 2015
Impact: Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via local system, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 5.0u75, 6u85, 7u72, 8u25 ...
Solution: The vendor has issued a fix as part of the Oracle Critical Patch Update Advisory - January 2015.
> http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixJAVA

:ph34r: :ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Java 8u40 released
- http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
Mar 4, 2015

Release notes
- http://www.oracle.com/technetwork/java/javase/8u40-relnotes-2389089.html

Downloads / JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

Recommended Version 8 Update 40
- https://www.java.com/en/download/manual.jsp
Mar 4, 2015

... -if- you still need to use Java at all. If not - uninstall it!
___

- http://www.engadget.com/2015/03/06/java-adware-mac/
March 6 2015 - "... For Java 8 Update 40 on Mac, the update instructions now confirm that "Oracle has partnered with companies that offer various products," including Ask .com (McAfee products have also been bundled on the PC)... the parent company of Ask .com - which also owns Tinder, OKCupid, the Daily Beast and others - paid out $883 million to partners like Oracle to distribute its toolbar and other wares..."
> https://www.java.com/ga/images/en/mac_sponsors.jpg

:ph34r: :ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

FYI...

Java 8u45 released
- http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
Apr 14, 2015

Release notes
- http://www.oracle.com/technetwork/java/javase/8u45-relnotes-2494160.html

Downloads / JRE
- http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

Recommended Version 8 Update 45
- https://www.java.com/en/download/manual.jsp
Apr 14, 2015

... -if- you still need to use Java at all. If not - uninstall it!
___

- http://www.securitytracker.com/id/1032120
CVE Reference: CVE-2015-0458, CVE-2015-0459, CVE-2015-0460, CVE-2015-0469, CVE-2015-0470, CVE-2015-0477, CVE-2015-0478, CVE-2015-0480, CVE-2015-0484, CVE-2015-0486, CVE-2015-0488, CVE-2015-0491, CVE-2015-0492
Apr 14 2015
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): Java SE 5.0u81, 6u91, 7u76, 8u40; Java FX 2.2.76...
Solution: The vendor has issued a fix as part of Oracle Critical Patch Update Advisory - April 2015.

> http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixJAVA
"... contains 14 new security fixes for Oracle Java... All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password..."
> http://www.oracle.com/technetwork/topics/security/cpuapr2015verbose-2365613.html#JAVA

:ph34r: :ph34r:

Edited by AplusWebMaster

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now