10 Jan 2013
04 Feb 2013
Oracle Java JDK 1.7.x / 7.x
This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.
Two vulnerabilities have been reported in Oracle Java, which can be exploited by malicious people to compromise a user's system.
1) An error within the "findClass()" method of the "MBeanInstantiator" class can be exploited by an applet to set its own privileges to e.g. allow downloading and executing arbitrary programs.
NOTE: This vulnerability is currently being actively exploited.
This vulnerability is confirmed in version 7 update 10 build 1.7.0_10-b18. Prior versions may also be affected.
2) An error when handling the "invoke()" method via MethodHandle within the sun.misc.reflect.Trampoline class can be exploited to bypass the Security Manager and execute arbitrary Java code.
This vulnerability is reported in versions 7 update 10 and prior.
Update to version 7 update 11.
1) Reported as a 0-day.