Oracle update to Java 7 Update 17 and to Java 6 Update 43, but…
Oracle, stressed by the new Java 0day discovered exploited in the wild, seem to have release new updates for Java 7, Java 6 and Java 5. Java 7 is updated to version 1.7.0_17, Java 6 is updated to version 1.6.0_43 and Java 5 is updated to version 1.5.0_41.
These update are pushed an “Oracle Security Alert for CVE-2013-1493” who fix CVE-2013-1493 vulnerability related to the Java 0day, but also another vulnerability, aka CVE-2013-0809, affecting Java running in web browsers. Both vulnerabilities have a CVSS base score of 10.0 and are remotely exploitable without authentication.
Vulnerabilities are credited to an anonymous Reporter of TippingPoint’s Zero Day Initiative, axtaxt via Tipping Point’s Zero Day Initiative, Darien Kindlund of FireEye, Vitaliy Toropov via iDefense and to Vitaliy Toropov via TippingPoint. As you may remember, CVE-2013-1493 was discovered exploited in the wild by FireEye, but it seem that this vulnerability was also previously discovered by a security researcher working with 0day brokers. It is not the first time that we see 0days exploited in the wild, previously reported to 0day brokers !
Also, Security Explorations, a security firm responsible for identifying most of the latest Java vulnerabilities, is not credited for any of the patched vulnerabilities. So they are still bunch off reported vulnerabilities in Java.
Last but not least, Security Explorations has report, today, five new security issues for Java 7 who can be used to gain a complete Java security sandbox bypass in the environmentof Java SE 7 Update 15.
I recommend you to read these related posts
- CVE-2013-1493 aka Yet Another Oracle Java 0day
- Oracle Java Critical Patch Update April 2013 Review
- CVE-2013-1488 Oracle Java Applet Driver Manager Vulnerability Metasploit Demo
- Bye Bye Java SE 6, Security Enhancements in Java SE 7U10
- CVE-2013-2423 – Java 7u17 Applet Reflection Type Confusion RCE Metasploit Demo
- Oracle Java Exploits and 0days since 2012 Interactive Timeline
- CVE-2012-0500 Oracle Java Web Start Plugin Command Line Argument Injection Metasploit Demo
- CVE-2012-0507 Java AtomicReferenceArray Type Violation Vulnerability Metasploit Demo
- Watering Hole Campaign Use Latest Java and IE Vulnerabilities
- Oracle Java Critical Patch Update June 2013 Review