Qualys Blog

www.qualys.com
wkandek

New 0-day for Oracle Java – Update 2

Update 2 (March 4): Oracle released a new version of Java – v7 update 17 – addressing 2 vulnerabilities, CVE-2013-1493 and CVE-2013-0809. Both had been scheduled to be included in next months scheduld update on April 16, but were anticipated due to the attacks in the wild. Patch as soon as possible.

Update (March 4): Oracle assigned CVE-2013-1493 to the vulnerability reported by FireEye. Some more details can be found in this CVRF formatted document which also lists CVE-2013-0809.

Original: Yesterday Fireeye published an analysis on what looks like another exploit against a vulnerability in the latest version of Java. Java 7 update 15 was released just two weeks ago, but we have already heard from security researchers that have found flaws in the software, plus now this latest news of exploits in the wild.

These attacks are all against Java on the desktop and use the browser as an attack vector. Our recommendation is to uninstall Java from the desktop if possible, otherwise disconnect Java from the browser, which recent versions of Java have made much easier. If neither of these options work look at a whitelisting solution for Java. Through it Zone mechanism Internet Explorer enables you to disable Java in the Internet Zone, but to leave it enabled in the Trusted Sites zone, which then needs to contain the sites that you need to run Java on (GotoMeeting, internal sites, etc).

We wil keep you updated as the information on this latest exploit becomes more precise.

Leave a Reply