I understand Oracle came out with a new update today (Java 7 update 13). Do you believe this update has the necessary changes to make it safe to re-enable our Java? I have copied a new page from Homeland Security for your refviewl. Please let me know what your take is the safety factor would be with this update.
Vulnerability Note VU#858729
Java 7 contains multiple vulnerabilities
Original Release date: 01 Feb 2013 | Last revised: 01 Feb 2013
|The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems.The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document states, "If there is a security manager already installed, this method first calls the security manager's checkPermission method with aRuntimePermission("setSecurityManager") permission to ensure it's safe to replace the existing security manager. This may result in throwing a SecurityException". |
By leveraging a number of vulnerabilities, an untrusted Java applet can escalate its privileges to allow full privileges, without requiring code signing. Other vulnerabilities can cause exploitable memory corruption, which could affect Java applets, as well as Java applications, depending on what the Java application does and how it may process untrusted data. Oracle Java 7 update 11 and earlier Java 7 versions are affected.
At least one of these vulnerabilities is reportedly being exploited in the wild.
|By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for these vulnerabilities. The vulnerabilities that affect server deployments of Java may be exploited by causing a Java server application to process untrusted data.|
|Apply an update|
These issues are addressed in Java 7 Update 13. Please see the Oracle Java SE Critical Patch Update Advisory - February 2013 for more details.
|Disable Java in web browsers|
Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.
System administrators wishing to deploy Java 7 Update 10 or later with the "Enable Java content in the browser" feature disabled can invoke the Java installer with the WEB_JAVA=0 command-line option. More details are available in the Java documentation.
Restrict access to Java applets
Network administrators unable to disable Java in web browsers may be able to help mitigate this and other Java vulnerabilities by restricting access to Java applets. This may be accomplished by using proxy server rules, for example. Blocking or whitelisting web requests to .jar and .class files can help to prevent Java from being used by untrusted sources. Filtering requests that contain a Java User-Agent header may also be effective. For example, this technique can be used in environments where Java is required on the local intranet. The proxy can be configured to allow Java requests locally, but block them when the destination is a site on the internet.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Oracle Corporation||Affected||-||01 Feb 2013|
- http://www.oracle.com/technetwork/topics/security/javacpufeb2013verbose-1841196. html
CreditThese vulnerabilities were reported by Oracle.This document was written by Will Dormann.
- CVE IDs:CVE-2012-1541 CVE-2012-1543 CVE-2012-3213 CVE-2012-3342 CVE-2012-4301 CVE-2012-4305 CVE-2013-0351CVE-2013-0409 CVE-2013-0419 CVE-2013-0423 CVE-2013-0424 CVE-2013-0425 CVE-2013-0426 CVE-2013-0427CVE-2013-0428 CVE-2013-0429 CVE-2013-0430 CVE-2013-0431 CVE-2013-0432 CVE-2013-0433 CVE-2013-0434CVE-2013-0435 CVE-2013-0436 CVE-2013-0437 CVE-2013-0438 CVE-2013-0439 CVE-2013-0440 CVE-2013-0441CVE-2013-0442 CVE-2013-0443 CVE-2013-0444 CVE-2013-0445 CVE-2013-0446 CVE-2013-0447 CVE-2013-0448CVE-2013-0449 CVE-2013-0450 CVE-2013-1472 CVE-2013-1473 CVE-2013-1474 CVE-2013-1475 CVE-2013-1476CVE-2013-1477 CVE-2013-1478 CVE-2013-1479 CVE-2013-1480 CVE-2013-1481 CVE-2013-1482 CVE-2013-1483CVE-2013-1489
- US-CERT Alert: TA13-032A
- Date Public: 01 Feb 2013
- Date First Published: 01 Feb 2013
- Date Last Updated: 01 Feb 2013
- Document Revision: 23
If you have feedback, comments, or additional information about this vulnerability, please send us email.