Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0034 New vulnerabilities in Java Runtime Environment can result in arbitrary code execution 5 March 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Java Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-1493 CVE-2013-0809 Member content until: Thursday, April 4 2013 Comment: Oracle has stated that they have received reports of CVE-2013-1493 being exploited in the wild. AusCERT recommends that administrators apply the updates as soon as possible. OVERVIEW New vulnerabilities have been discovered in the Java Runtime Environment component of Oracle Java SE, which can result in arbitrary code execution in all previous versions of Java. [1, 2] IMPACT Oracle advises that these vulnerabilities may be remotely expoited without authentication. Oracle advises that: "For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities." [1] Furthermore, Oracle notes that: "Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution." [2] Oracle also notes that: "This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets." [2] MITIGATION Oracle strongly recommends that customers update to the latest version of Java - JDK 7 Update 17 as soon as possible. [1] JDK 6 Update 43 has been made available by Oracle to mitigate these vulnerabilities for those customers who have not migrated to JDK 7. [3] However, Oracle notes that: "This release is the last of publicly available JDK 6 Updates. Oracle recommends that users migrate to JDK 7 in order to continue receiving public updates and security enhancements." [3] REFERENCES [1] Oracle Security Alert for CVE-2013-1493 http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html [2] Text Form of Oracle Security Alert - CVE-2013-1493 Risk Matrices http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493verbose-1915091.html [3] Update Release Notes http://www.oracle.com/technetwork/java/javase/6u43-relnotes-1915290.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUTVP4u4yVqjM2NGpAQLLAA//S2PgS7UcvZKL2zUVvHdcukJez07AJRUF nKch64+5loJlvenSSvSbXOAkgiE2btBV+a87SMK0a+8BCFFk9nIBt72gtCAUbXiL 7hi2EvtdTSy4mBs8IIeEtOoHZS7ccBvajMvp+GJQaQH7T5BI0kLBQq9TikUFnpKv EepDLFTSwjPxD0uX6CwbsW483TtX7SeTgCqPRglX2M1PKcDW5x573zrQZ6GtR7iG jGab4H2rbasOIzPQAPjNI/f6YX74Htyya/HuTvF48vmhPeXINaoUxMIZ78P+bzPY czyw0CzFMV8Z6ONUg5yNMcWYKPHZbuL7lfhnMqL8haIiI4V5qm9clH/Gjo67B+DU 042JqbqFHpt0YTDM96g8Zr5QmybgW2jLjgGG8AZx0+LEZSnM8OQhFBFphokMKE37 39sPhE0hlBNr6jshZyfxKw4z2XsyUPXuA1TtHn1+r1Y5BMwG37DEqUOQ9EVdLodf v+MhWd5KV7tWeRANWxL2py9EhU075HEWsjK3YvvtyorP3J96+qk9CK/wmWvHOvvG nCZ6sTvSar/bUCNM47pDFDqnpbjGFQibV8qhYR1oxSRQe5h3wM+1fHixg6r2XHr+ x4w/ouiO1LvxBhhHMHMas2OjCXz5LvyeLB+GE9eX2m5ZrRN9gFAmb3gXoZquEkom S9WiY9ggvTw= =+67C -----END PGP SIGNATURE-----