Date: 28 August 2012
References: ASB-2012.0120 ESB-2012.0839 ESB-2012.0840 ESB-2012.0896 ESB-2012.1007.2
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Oracle Java 7 Security Manager Bypass Vulnerability
28 August 2012
AusCERT Security Bulletin Summary
Product: Java 7
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User
CVE Names: CVE-2012-4681
Comment: A patch is not available at this time, however the Java Plug-in can
be disabled. Instructions are included in this bulletin for several common
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
National Cyber Awareness System
US-CERT Alert TA12-240A
Oracle Java 7 Security Manager Bypass Vulnerability
Original release date: August 27, 2012
Last revised: --
Any system using Oracle Java 7 (1.7, 1.7.0) including:
* Java Platform Standard Edition 7 (Java SE 7)
* Java SE Development Kit (JDK 7)
* Java SE Runtime Environment (JRE 7)
Web browsers using the Java 7 Plug-in are at high risk.
A vulnerability in the way Java 7 restricts the permissions of Java
applets could allow an attacker to execute arbitrary commands on a
A vulnerability in the Java Security Manager allows a Java applet
to grant itself permission to execute arbitrary operating system
commands. An attacker could use social engineering techniques to
entice a user to visit a link to a web site hosting a malicious
Any web browser using the Java 7 Plug-in is affected.
Reports indicate this vulnerability is being actively exploited,
and exploit code is publicly available.
By convincing a user to load a malicious Java applet, an attacker
could execute arbitrary operating system commands on a vulnerable
system with the privileges of the Java Plug-in process.
Disable the Java Plug-in
Disabling the Java web browser plug-in will prevent Java applets
from from running. Here are instructions for several common web
* Apple Safari: How to disable the Java web plug-in in Safari
* Mozilla Firefox: How to turn off Java applets
* Google Chrome: See the "Disable specific plug-ins" section of the
Chrome Plug-ins documentation.
* Microsoft Internet Explorer: Change the value of the
UseJava2IExplorer registry key to 0. Depending on the versions of
Windows and the Java plug-in, the key can be found in these
* The Java Control Panel (javacpl.exe) does not reliably configure
the Java plug-in for Internet Explorer. Instead of editing the
registry, it is possible to run javacpl.exe as Administrator,
navigate to the Advanced tab, Default Java for browsers, and use
the space bar to de-select the Microsoft Internet Explorer option.
NoScript is a browser extension for Mozilla Firefox browsers that
provides options to block Java applets.
* Vulnerability Note VU#636312
* Zero-Day Season is Not Over Yet
* Let's start the week with a new Java 0-day in Metasploit
* The Security Manager
* Java 7 0-Day vulnerability information and mitigation.
* How to disable the Java web plug-in in Safari
* How to turn off Java applets
August 27, 2012: Initial release
Feedback can be directed to US-CERT Technical Staff. Please send
email to <email@example.com> with "TA12-240A Feedback VU#636312" in
Produced by US-CERT, a government organization.
This product is provided subject to this Notification:
Privacy & Use policy:
This document can also be found at
For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----