According to a blog post published yesterday ( via IDG), browsers running Java v1.6 Update 41 and Java v1.7 Update 15 are now vulnerable to a malware attack that installs a remote access tool known as McRAT. ![]() Yet another Java vulnerability discovered, researchers recommend disabling browser plug-inįollowing an attack on a smaller number of corporate Macs that exploited a flaw in the Java browser plug-in, researchers from security firm FireEye warned users of yet another new Java zero-day vulnerability. However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert. The company intended to include a fix for CVE-2013-1493 in the ApCritical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013). Though reports of active exploitation of vulnerability CVE-2013-1493 were recently received, this bug was originally reported to Oracle on February 1 st 2013, unfortunately too late to be included in the February 19 th release of the Critical Patch Update for Java SE. 1 but didn’t get around to patching it in the last release: Today, Oracle said it knew about the flaw since Feb. Researchers from security firm FireEye warned users last week of yet another new Java zero-day vulnerability and recommended users disable Java until Oracle addresses the issue. These vulnerabilities have each received a CVSS Base Score of 10.0. They also do not affect Oracle server-based software. ![]() ![]() These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications. Both vulnerabilities affect the 2D component of Java SE. One of these vulnerabilities (CVE-2013-1493) has recently been reported as being actively exploited by attackers to maliciously install the McRat executable onto unsuspecting users’ machines. Today Oracle released Security Alert CVE-2013-1493 to address two vulnerabilities affecting Java running in web browsers (CVE-2013-1493 and CVE-2013-0809). Further information is available via the Java website at Īpple updates Safari web plugin blocker to disable new Java vulnerabilityįollowing a number of reports of new zero-day vulnerabilities in the Java browser plug-in, Oracle has today released an emergency update to Java 7 as Apple updates Java SE 6 to version 1.6.0_43. These issues were addressed by updating to Java version 1.6.0_65. ![]() Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. Multiple vulnerabilities existed in Java 1.6.0_51, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. On Apple’s security page for the latest update, it is noted that some holes existed in the software: Of note, the updates “uninstalls the Apple-provided Java applet plug-in from all web browsers.” New Macs do not come with Java installed and newer versions of Java are released and maintained by Oracle.Īpple’s decision to cut off internal support and development stems from the decreased necessity for the platform and the fact that Mac malware usually comes from Java security holes. The update is available in the Mac App Store. Apple has released Java for OS X 2013-005, which “delivers improved security, reliability, and compatibility for Java SE 6”.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |