English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Oracle Java Two Code Execution Vulnerabilities


Secunia ID

SA51820

CVE-ID

CVE-2012-3174, CVE-2013-0422

Release Date

10 Jan 2013

Last Change

04 Feb 2013

Criticality

Extremely Critical

Solution Status

Vendor Patch

Software

Oracle Java JDK 1.7.x / 7.x
Oracle Java JRE 1.7.x / 7.x

Where

From remote

Impact
System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

Description

Two vulnerabilities have been reported in Oracle Java, which can be exploited by malicious people to compromise a user's system.

1) An error within the "findClass()" method of the "MBeanInstantiator" class can be exploited by an applet to set its own privileges to e.g. allow downloading and executing arbitrary programs.

NOTE: This vulnerability is currently being actively exploited.

This vulnerability is confirmed in version 7 update 10 build 1.7.0_10-b18. Prior versions may also be affected.

2) An error when handling the "invoke()" method via MethodHandle within the sun.misc.reflect.Trampoline class can be exploited to bypass the Security Manager and execute arbitrary Java code.

This vulnerability is reported in versions 7 update 10 and prior.

Solution

Update to version 7 update 11.

Reported by

1) Reported as a 0-day.
2) Ben Murphy via ZDI.

Original Advisory

Oracle:
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

0-day:
http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html