Internet threat level: 1
Home→Descriptions→SA50133
Oracle Java Three Vulnerabilities
| Secunia ID | |
| CVE-ID | |
| Release Date |
27 Aug 2012 |
| Last Change |
24 Dec 2012 |
| Criticality | |
| Solution Status |
Vendor Patch |
| Software |
Oracle Java JDK 1.7.x / 7.x |
| Where | |
| Impact |
System accessThis covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user. |
| Description |
Three vulnerabilities have been reported in Oracle Java, which can be exploited by malicious people to compromise a user's system. 1) An error in how the "setSecurityManager()" function can be called can be exploited by an applet to set its own privileges to e.g. allow downloading and executing arbitrary programs. NOTE: This is currently being actively exploited in targeted attacks. 2) An error when handling reflections within the java.beans.Expression class can be exploited to compromise a user's system. 3) An unspecified error in the Beans sub-component can be exploited to compromise a user's system. Successful exploitation of the vulnerabilities allows execution of arbitrary code, but applies to client deployment only as the vulnerabilities are exploited through untrusted Java Web Start applications and untrusted Java applets. |
| Solution |
Update to version 7 Update 7. NOTE: The updated version also applies a defense-in-depth security fix to address an issue that makes exploitation of other vulnerabilities more severe. This fix is also implemented in version 6 Update 35. |
| Reported by |
2) James Forshaw (tyranid) via ZDI Reported as a 0-day. The vendor also credits Adam Gowdiak, Security Explorations. |
| Original Advisory |
Oracle: FireEye: ZDI: |
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.