English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Oracle Java Three Vulnerabilities


Secunia ID

SA50133

CVE-ID

CVE-2012-0547, CVE-2012-1682, CVE-2012-3136, CVE-2012-4681

Release Date

27 Aug 2012

Last Change

24 Dec 2012

Criticality

Extremely Critical

Solution Status

Vendor Patch

Software

Oracle Java JDK 1.7.x / 7.x
Oracle Java JRE 1.7.x / 7.x

Where

From remote

Impact
System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

Description

Three vulnerabilities have been reported in Oracle Java, which can be exploited by malicious people to compromise a user's system.

1) An error in how the "setSecurityManager()" function can be called can be exploited by an applet to set its own privileges to e.g. allow downloading and executing arbitrary programs.

NOTE: This is currently being actively exploited in targeted attacks.

2) An error when handling reflections within the java.beans.Expression class can be exploited to compromise a user's system.

3) An unspecified error in the Beans sub-component can be exploited to compromise a user's system.

Successful exploitation of the vulnerabilities allows execution of arbitrary code, but applies to client deployment only as the vulnerabilities are exploited through untrusted Java Web Start applications and untrusted Java applets.

Solution

Update to version 7 Update 7.

NOTE: The updated version also applies a defense-in-depth security fix to address an issue that makes exploitation of other vulnerabilities more severe. This fix is also implemented in version 6 Update 35.

Reported by

2) James Forshaw (tyranid) via ZDI

Reported as a 0-day.

The vendor also credits Adam Gowdiak, Security Explorations.

Original Advisory

Oracle:
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
https://blogs.oracle.com/security/entry/security_alert_for_cve_20121

FireEye:
http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html

ZDI:
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0214.html