AusCERT - ESB-2012.0819 - ALERT [Win][UNIX/Linux][Mobile] Java 7: Execute arbitrary code/commands

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2012.0819 - ALERT [Win][UNIX/Linux][Mobile] Java 7: Execute arbitrary code/commands - Remote with user interaction
Date: 28 August 2012
References: ASB-2012.0120 ESB-2012.0839 ESB-2012.0840 ESB-2012.0896 ESB-2012.1007.2

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0819
            Oracle Java 7 Security Manager Bypass Vulnerability
                              28 August 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Java 7
Publisher:         US-CERT
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
                   Mobile Device
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User 
		   Interaction
Resolution:        Mitigation
CVE Names:         CVE-2012-4681  

Original Bulletin: 
   http://www.us-cert.gov/cas/techalerts/TA12-240A.html

Comment: A patch is not available at this time, however the Java Plug-in can 
be disabled.  Instructions are included in this bulletin for several common 
browsers.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Awareness System

US-CERT Alert TA12-240A
Oracle Java 7 Security Manager Bypass Vulnerability

Original release date: August 27, 2012
Last revised: --

Systems Affected

     Any system using Oracle Java 7 (1.7, 1.7.0) including:

     * Java Platform Standard Edition 7 (Java SE 7)
     * Java SE Development Kit (JDK 7)
     * Java SE Runtime Environment (JRE 7)

     Web browsers using the Java 7 Plug-in are at high risk.


Overview

   A vulnerability in the way Java 7 restricts the permissions of Java
   applets could allow an attacker to execute arbitrary commands on a
   vulnerable system.


Description

   A vulnerability in the Java Security Manager allows a Java applet
   to grant itself permission to execute arbitrary operating system
   commands. An attacker could use social engineering techniques to
   entice a user to visit a link to a web site hosting a malicious
   applet.

   Any web browser using the Java 7 Plug-in is affected.

   Reports indicate this vulnerability is being actively exploited,
   and exploit code is publicly available.


Impact

   By convincing a user to load a malicious Java applet, an attacker
   could execute arbitrary operating system commands on a vulnerable
   system with the privileges of the Java Plug-in process.


Solution

   Disable the Java Plug-in

   Disabling the Java web browser plug-in will prevent Java applets
   from from running. Here are instructions for several common web
   browsers:

   * Apple Safari: How to disable the Java web plug-in in Safari

   * Mozilla Firefox: How to turn off Java applets

   * Google Chrome: See the "Disable specific plug-ins" section of the
     Chrome Plug-ins documentation.

   * Microsoft Internet Explorer: Change the value of the
     UseJava2IExplorer registry key to 0. Depending on the versions of
     Windows and the Java plug-in, the key can be found in these
     locations:

       HKLM\Software\JavaSoft\Java Plug-in\{version}\UseJava2IExplorer

       HKLM\Software\Wow6432Node\JavaSoft\Java Plug-in\{version}\UseJava2IExplorer
   
   * The Java Control Panel (javacpl.exe) does not reliably configure
     the Java plug-in for Internet Explorer. Instead of editing the
     registry, it is possible to run javacpl.exe as Administrator,
     navigate to the Advanced tab, Default Java for browsers, and use
     the space bar to de-select the Microsoft Internet Explorer option.

   Use NoScript

   NoScript is a browser extension for Mozilla Firefox browsers that
   provides options to block Java applets.


References

 * Vulnerability Note VU#636312
   <http://www.kb.cert.org/vuls/id/636312>

 * Zero-Day Season is Not Over Yet
   <http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html>

 * Let's start the week with a new Java 0-day in Metasploit
   <https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day>

 * http://pastie.org/4594319
   <http://pastie.org/4594319>

 * The Security Manager
   <http://docs.oracle.com/javase/tutorial/essential/environment/security.html>

 * Java 7 0-Day vulnerability information and mitigation.
   <http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html>

 * How to disable the Java web plug-in in Safari
   <https://support.apple.com/kb/HT5241>

 * How to turn off Java applets
   <https://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets>

 * NoScript
   <http://noscript.net/>


Revision History

  August 27, 2012: Initial release

 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA12-240A Feedback VU#636312" in
   the subject.
 ____________________________________________________________________

   Produced by US-CERT, a government organization.
 ____________________________________________________________________

This product is provided subject to this Notification: 
http://www.us-cert.gov/privacy/notification.html

Privacy & Use policy: 
http://www.us-cert.gov/privacy/

This document can also be found at
http://www.us-cert.gov/cas/techalerts/TA12-240A.html

For instructions on subscribing to or unsubscribing from this 
mailing list, visit http://www.us-cert.gov/cas/signup.html


- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBUDwzD3dnhE8Qi3ZhAQIhCwgAoB6PY2SMOBk9HEm0kNLm0aYD+YNJ/JjE
76KMWFPbtKd6I4hgMsjgIj6Y9a9fObk3tI+WAZ9cUrtw7I0/rnFJ33hEa24EdAZi
FrC+8WYJulBssl2t/+GXW+jnWymgv3wm8B75A5ykXp6K/Xg0LDH7Xpe1tgPI7ojJ
9Wut8xfoKknzm3s6mEuVrZUpN8cGJzDi4E1CqGdQPUEcBBSnwIpbNVTdfsSLlaEX
st2VpWpC2Nd/WrcakJoQhC2ehvi3osEEXL6AAX88G7ixUg9E+aS2G+JiUQ2/DDKD
zD8dq/LaX7aZldPgbbLsuJHWnN2/gmWnjUMYnFjHbSpCcLGphnfQiQ==
=3Q1B
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUDxYIO4yVqjM2NGpAQIvAhAAsm30SF9ETaOOlMtAsUTu+X5X+MCtGfLk
HgWzSHgzjuPZdOYuyReANYNeQv2vl9eda9kMJm2r0UNBgTVr316TZhzMJb3SWsbk
CHiN+5JhMU/YQ+OKWpLIpYmb6AkbBpglTCqhE9xJWYbE1Gx8QvpdqvtyfXdshRyF
lMlqNA4a7NAV1mn7E1wTBooe14XvQuHdMALUxZ+HmfywUDCAZUsTj09FMwdhUMlD
+CPAruu6ZYYAUkcRivaMoo1xQPrfuAWSFd40az+YZNvkKOQJ5OzxptYY/oBi/5aR
XH1DlwLsgjbKH/DguIg/bgp2Ww3AigoCtzhNA4FFIoAmKAftQ0x2XejQRElcMRLe
+AS+0WXMqVZxKe1Q+9oKykJzHmcKM6MbO5qUWNKRr4z+nhh8R9lfiCsYsrx3ABFV
S0rZkoVrTdaQG2yTNR9Yjuwi316keTtmcPMwwRRKJj/D3nxtTkJAF3y0U8a7qWPz
+t9NkJnxhMVGUkChMRbscAEGSDu1hCxIqWlJlybActZcHOa/JB4gM+mNk5LQmf2H
abX0z1AQAXwE8mUAlmZNr1EkhgHl6qubl+1irgmwq4y9UrEyHj/TAPUmtlB622JW
QrJI5lKwhHUSFyQ9jPbxLsg2POGyP7DpGFasQeCFkun/EcCiL4kPXxQk4G2cxUA4
4czZP0WHxCg=
=uvM5
-----END PGP SIGNATURE-----