exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Technical Cyber Security Alert 2012-240A

Technical Cyber Security Alert 2012-240A
Posted Aug 29, 2012
Authored by US-CERT | Site us-cert.gov

Technical Cyber Security Alert 2012-240A - A vulnerability in the way Java 7 restricts the permissions of Java applets could allow an attacker to execute arbitrary commands on a vulnerable system.

tags | advisory, java, arbitrary
SHA-256 | a18e5c8d7e2b18824197224cbd232de96e1cff9aaf7438a07a6214ebff4c15da

Technical Cyber Security Alert 2012-240A

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Awareness System

US-CERT Alert TA12-240A
Oracle Java 7 Security Manager Bypass Vulnerability

Original release date: August 27, 2012
Last revised: --

Systems Affected

Any system using Oracle Java 7 (1.7, 1.7.0) including:

* Java Platform Standard Edition 7 (Java SE 7)
* Java SE Development Kit (JDK 7)
* Java SE Runtime Environment (JRE 7)

Web browsers using the Java 7 Plug-in are at high risk.


Overview

A vulnerability in the way Java 7 restricts the permissions of Java
applets could allow an attacker to execute arbitrary commands on a
vulnerable system.


Description

A vulnerability in the Java Security Manager allows a Java applet
to grant itself permission to execute arbitrary operating system
commands. An attacker could use social engineering techniques to
entice a user to visit a link to a web site hosting a malicious
applet.

Any web browser using the Java 7 Plug-in is affected.

Reports indicate this vulnerability is being actively exploited,
and exploit code is publicly available.


Impact

By convincing a user to load a malicious Java applet, an attacker
could execute arbitrary operating system commands on a vulnerable
system with the privileges of the Java Plug-in process.


Solution

Disable the Java Plug-in

Disabling the Java web browser plug-in will prevent Java applets
from from running. Here are instructions for several common web
browsers:

* Apple Safari: How to disable the Java web plug-in in Safari

* Mozilla Firefox: How to turn off Java applets

* Google Chrome: See the "Disable specific plug-ins" section of the
Chrome Plug-ins documentation.

* Microsoft Internet Explorer: Change the value of the
UseJava2IExplorer registry key to 0. Depending on the versions of
Windows and the Java plug-in, the key can be found in these
locations:

HKLM\Software\JavaSoft\Java Plug-in\{version}\UseJava2IExplorer

HKLM\Software\Wow6432Node\JavaSoft\Java Plug-in\{version}\UseJava2IExplorer

* The Java Control Panel (javacpl.exe) does not reliably configure
the Java plug-in for Internet Explorer. Instead of editing the
registry, it is possible to run javacpl.exe as Administrator,
navigate to the Advanced tab, Default Java for browsers, and use
the space bar to de-select the Microsoft Internet Explorer option.

Use NoScript

NoScript is a browser extension for Mozilla Firefox browsers that
provides options to block Java applets.


References

* Vulnerability Note VU#636312
<http://www.kb.cert.org/vuls/id/636312>

* Zero-Day Season is Not Over Yet
<http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html>

* Let's start the week with a new Java 0-day in Metasploit
<https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day>

* http://pastie.org/4594319
<http://pastie.org/4594319>

* The Security Manager
<http://docs.oracle.com/javase/tutorial/essential/environment/security.html>

* Java 7 0-Day vulnerability information and mitigation.
<http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html>

* How to disable the Java web plug-in in Safari
<https://support.apple.com/kb/HT5241>

* How to turn off Java applets
<https://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets>

* NoScript
<http://noscript.net/>


Revision History

August 27, 2012: Initial release

____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA12-240A Feedback VU#636312" in
the subject.
____________________________________________________________________

Produced by US-CERT, a government organization.
____________________________________________________________________

This product is provided subject to this Notification:
http://www.us-cert.gov/privacy/notification.html

Privacy & Use policy:
http://www.us-cert.gov/privacy/

This document can also be found at
http://www.us-cert.gov/cas/techalerts/TA12-240A.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBUDwzD3dnhE8Qi3ZhAQIhCwgAoB6PY2SMOBk9HEm0kNLm0aYD+YNJ/JjE
76KMWFPbtKd6I4hgMsjgIj6Y9a9fObk3tI+WAZ9cUrtw7I0/rnFJ33hEa24EdAZi
FrC+8WYJulBssl2t/+GXW+jnWymgv3wm8B75A5ykXp6K/Xg0LDH7Xpe1tgPI7ojJ
9Wut8xfoKknzm3s6mEuVrZUpN8cGJzDi4E1CqGdQPUEcBBSnwIpbNVTdfsSLlaEX
st2VpWpC2Nd/WrcakJoQhC2ehvi3osEEXL6AAX88G7ixUg9E+aS2G+JiUQ2/DDKD
zD8dq/LaX7aZldPgbbLsuJHWnN2/gmWnjUMYnFjHbSpCcLGphnfQiQ==
=3Q1B
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close