CVE-2012-4681 Vulnerability Patched in Out-of-Band Oracle Java Update
Four days later Oracle has release an out-of-band security patch Java SE versions 7u7 (1.7.0_07) and 6u35 (1.6.0_35).
This out-of-band update correct 4 vulnerabilities, 3 of the 4 vulnerabilities have a base CVSS score of 10.0.
CVE-2012-4681, with a CVSS base score of 10.0, is one of the well known vulnerabilities of Java 7 0day and has been discovered by Adam Gowdiak of Security Explorations in April 2012. This vulnerability was affecting Java 7 Update 6 and before.
CVE-2012-1682, with a CVSS base score of 10.0. This vulnerability was affecting Java 7 Update 6 and before.
CVE-2012-3136, with a CVSS base score of 10.0. This vulnerability was affecting Java 7 Update 6 and before.
CVE-2012-0547, with a CVSS base score of 0.0. This vulnerability was affecting Java 7 Update 6 and before, Java 6 Update 34 and before.
But regarding Security Explorations they are still around 26 reported vulnerabilities how are open and with unknown impact.
By default installed Java is configured on automatic update notification, but this process is also configured by default to be activate only every Sunday at 9:00 PM. This elapse time will provide more times to bad guys…We highly recommend you to update asap your Java installation !
But unfortunately the new update Java 7 Update 7 contain a critical flaw, discovered 24 hours by Security Explorations after the release of the patch. This new discovered security flaw allows an attacker to bypass the Java security sandbox completely, making it possible to install malware or execute malicious code on affected systems. No details are actually public and no known exploit of the new flaw has yet been found in the wild. We could hope that this new security flaw will not be discovered by bad guys and that Oracle will patch them during his next release plan, the October 16.
I recommend you to read these related posts
- Oracle Push Java SE 7 Update to Uninstall Version 6
- Oracle Java Critical Patch Update October 2012 Review
- Oracle Java Critical Patch Update February 2013 Review
- Java Version 7 Update 11 Patch Oracle CVE-2013-0422 0day
- Oracle Java Critical Patch Update April 2013 Review
- Year 2012 Main Exploitable Vulnerabilities Interactive Timeline
- CVE-2012-5088 Java Applet Method Handle RCE Metasploit Demo
- CVE-2012-5076 Java Applet AverageRangeStatisticImpl RCE Metasploit Demo
- CVE-2012-1723 Oracle Java Applet Field Bytecode Verifier Cache RCE Metasploit Demo
- Oracle update to Java 7 Update 17 and to Java 6 Update 43, but…