83 replies to this topic

[AplusWebMaster]

FYI...

Sun Java JRE v1.6.0_18 released
- http://java.sun.com/...loads/index.jsp
January 13, 2010

Release Notes - Changes in 1.6.0_18
- http://java.sun.com/...notes/6u18.html
"... This feature release does not contain any new fixes for security vulnerabilities to its previous release, Java SE 6 Update 17. Users who have Java SE 6 Update 17 have the latest security fixes and do not need to upgrade to this release to be current on security fixes..."

Bug fixes - 358
- http://java.sun.com/...gfixes-1.6.0_18

Edited by AplusWebMaster, 13 January 2010 - 05:47 PM.

[AplusWebMaster]

FYI...

Java JRE 6 Update 19 released
- http://java.sun.com/...loads/index.jsp
March 30, 2010

Supported System Configurations
- http://java.sun.com/...igurations.html

Changes in 1.6.0_19
- http://java.sun.com/...notes/6u19.html
"This release contains fixes for security vulnerabilities..."
28 Bug Fixes

- http://secunia.com/advisories/37255/
Release Date: 2010-03-31
Criticality level: Highly critical
Impact: Unknown, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Java JDK 1.4.x, 1.5.x, 1.6.x, Java JRE 1.4.x, 1.5.x / 5.x, 1.6.x / 6.x
Oracle:
http://www.oracle.co...cpumar2010.html

- http://secunia.com/s...search/2009-49/
31/03/2010
- http://secunia.com/s...search/2009-50/
31/03/2010

- http://atlas.arbor.n...ndex#2090669689
March 31, 2010 - "Analysis: This is a serious issue for Java users who should review this update and apply it as soon as possible..."

Edited by AplusWebMaster, 02 April 2010 - 08:13 AM.

[AplusWebMaster]

FYI...

JRE Java Platform SE and Java Deployment Toolkit Plugins Code Execution vulns

- http://secunia.com/advisories/39260/
Release Date: 2010-04-12
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Sun Java JDK 1.6.x, Sun Java JRE 1.6.x / 6.x
... The vulnerability is confirmed in JRE version 6 Update 19. Other versions may also be affected...
Original Advisory: Tavis Ormandy:
http://archives.neoh...10-04/0122.html ...

- http://www.securityf.../bid/39346/info
Remote: Yes
Updated: Apr 09 2010
Vulnerable: Sun JRE (Windows Production Release) "since version 6 Update 10".
- http://www.securityf...d/39346/discuss
Java Runtime Environment (JRE) is prone to arbitrary code-execution vulnerabilities that affect multiple Java plugins for multiple browsers. Attackers can exploit these issues to execute arbitrary code in the context of the user running the vulnerable applications. The issues affect Java Runtime Environment versions 1.6.0_10 and later (JRE 6 Update 10 and later); other versions may also be vulnerable...

- http://www.mail-arch...k/msg40571.html
09 Apr 2010

- http://www.symantec....eatconlearn.jsp
09 Apr 2010
• 'deploytk.dll' - Java Deployment Toolkit ActiveX plugin for Internet Explorer (CLSID: CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA)
• 'jp2iexp.dll' - Java Platform SE ActiveX plugin for Internet Explorer (CLSID: 8AD9C840-044E-11D1-B3E9-00805F499D93)
• 'npdeploytk.dll' - Java Deployment Toolkit plugin for Mozilla Firefox
• 'npjp2.dll' - Java Platform SE plugin for Mozilla Firefox and Google Chrome

- http://www.theregist..._vulnerability/
09 Apr 2010

- http://isc.sans.org/...ml?storyid=8608
Last Updated: 2010-04-10 21:01:56 UTC

- http://www.us-cert.g..._toolkit_plugin
April 13, 2010
- http://www.kb.cert.org/vuls/id/886582
Last Updated: 2010-04-12

Edited by AplusWebMaster, 14 April 2010 - 02:52 AM.

[AplusWebMaster]

FYI...

Java exploit in the wild...
- http://www.theregist...lity_exploited/
14 April 2010 - "A popular song lyrics website has been found serving attack code that tries to exploit a critical vulnerability in Oracle's Java virtual machine, which is installed on hundreds of millions of computers worldwide. The site, songlyrics .com, is serving up javascript that invokes the weakness disclosed last week by security researcher Tavis Ormandy... AVG Technologies Chief Research Officer Roger Thompson, who discovered the in-the-wild attack, said songlyrics .com reaches out to another domain, assetmancomjobs .com, for a malicious JAR, or Java Archive, file and gets a 404 error indicating the payload isn't available..."

- http://krebsonsecuri...ed-in-the-wild/
April 14, 2010

- http://www.symantec....eatconlearn.jsp
"The ThreatCon is currently at Level 2: Elevated.
On April 14, 2010, multiple sources reported in-the-wild exploitation of a code execution vulnerability (BID 39346) affecting Oracle JRE Java Platform SE and Java Deployment Toolkit Plugins. This issue affects Oracle Java JRE, since version 6 Update 10 (Other versions may also be affected). Exploitation of this issue can allow an attacker to load and execute an arbitrary JAR file from an attacker specified UNC share. Since there is no patch available we recommend users to stay cautious while visiting sites and disable the associated controls if they are not required..."

Edited by AplusWebMaster, 15 April 2010 - 06:43 AM.

[AplusWebMaster]

FYI...

Java JRE 6 Update 20 released
- http://java.sun.com/...loads/index.jsp
April 15, 2010

Changes in 1.6.0_20
- http://java.sun.com/...notes/6u20.html
"This release contains fixes for security vulnerabilities..."
3 Bug Fixes...

Supported System Configurations
- http://java.sun.com/...igurations.html

- http://secunia.com/advisories/39260/
Last Update: 2010-04-16
Criticality level: Highly critical
Impact: System access
Where: From remote
Software: Sun Java JDK 1.6.x, Sun Java JRE 1.6.x / 6.x
CVE Reference(s):
- http://web.nvd.nist....d=CVE-2010-0886
Last revised: 05/27/2010 / CVSS v2 Base Score: 10.0 (HIGH)
- http://web.nvd.nist....d=CVE-2010-0887
Last revised: 05/25/2010 / CVSS v2 Base Score: 10.0 (HIGH)
- http://web.nvd.nist....d=CVE-2010-1423
Last revised: 04/16/2010 / CVSS v2 Base Score: 9.3 (HIGH)
Solution:
Update to JRE or JDK version 6 Update 20.

Java Patch Targets Latest Attacks
- http://krebsonsecuri...latest-attacks/
April 15, 2010

Edited by AplusWebMaster, 14 June 2010 - 07:35 AM.

[AplusWebMaster]

FYI...

Java v1.6.0_20 US-CERT advisory...
- http://www.kb.cert.org/vuls/id/886582
Last Updated: 2010-04-19
"... Note: The installer for Java 1.6.0_20 may not correctly update all instances of the Java Deployment Toolkit plugin. In some cases, the plugin that resides in the \bin\new_plugin directory may not be updated to the fixed 6.0.200.2 version of npdeployJava1.dll. If the new_plugin directory contains npdeploytk.dll version 6.0.190.4 or earlier, then browsers that use plug-ins, such as Mozilla Firefox or Google Chrome, may still be vulnerable. To correct this situation, delete the vulnerable npdeploytk.dll from the new_plugin directory and replace it with the npdeployJava1.dll version from the bin directory. Please note that the Java Development Toolkit can be installed in multiple browsers, therefore workarounds need to be applied to all browsers with the Java Development Toolkit..."
(IE "killbit" procedure also available at the URL above.)

- http://krebsonsecuri...gin-in-firefox/
April 20, 2010 - "Mozilla is disabling older versions of the Java Development Toolkit plugin for Firefox users, in a bid to block attacks against a newly-discovered Java security hole that attackers have been exploiting of late to install malicious code... If you want to disable it manually, go to Tools, Add-ons, click the Plugins icon, select the Toolkit and hit the “Disable” button..."

[AplusWebMaster]

FYI...

Java - Remote Code Execution vuln [POC released] - updates available
- http://isc.sans.org/...ml?storyid=8845
Last Updated: 2010-05-23 20:51:37 UTC - "SecurityFocus has published Bugtraq ID 39077 vulnerability for Java SE and Java for Business, which allows attackers to remote execute code context of the user running the affected application. Read the publication here:
- http://www.securityfocus.com/bid/39077
Updated: May 21 2010
... blog explaning the technical details. Read it here*. The solution is to update java to a non-vulnerable version. Please read
- http://www.securityf.../bid/39077/info at bottom of the page." ['Not Vulnerable']

* http://vreugdenhilre...ulnerabilities/
May 21, 2010

- http://www.oracle.co...cpumar2010.html
"... Affected product releases and versions... JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux..."

- http://web.nvd.nist....d=CVE-2010-0842
Last revised: 05/08/2010
CVSS v2 Base Score: 7.5 (HIGH)

- http://atlas.arbor.n...dex#-1067279310
Title: Oracle Java Security Alert
Severity: Extreme Severity
Published: Thursday, June 10, 2010 18:11
Oracle has released a Java security alert for two bugs in the JDK and JRE 6. Desktop Java installations can be used to execute arbitrary commands on the victim's system. Oracle has released updated software to address this issue.
Analysis: This is a critical issue we have seen exploited in the wild. Due to the complexity of updating Java installations, which may leave behind older and vulnerable versions, we encourage sites to update with extreme care.
Source: Oracle Security Alert for CVE-2010-0886 - May 2010
- http://www.oracle.co...-2010-0886.html

Edited by AplusWebMaster, 14 June 2010 - 07:05 AM.

[AplusWebMaster]

FYI...

Java JRE 6 Update 21 released
- http://java.sun.com/...loads/index.jsp
July 8, 2010

Changes in 1.6.0_21
- http://java.sun.com/...notes/6u21.html
"Bug Fixes: Java SE 6 Update 21 does not contain any additional fixes for security vulnerabilities to its previous release, Java SE 6 Update 20. Users who have Java SE 6 Update 20 have the latest security fixes and do not need to upgrade to this release to be current on security fixes. For other bug fixes, see the Java SE 6u21 Bug Fixes* page..."
* http://java.sun.com/...gFixes6u21.html
(Many) ... including: Comparison of 2 arrays could cause VM crash, Windows-only: tzmappings needs update for KB979306, Java plugin + Firefox does not pick up auto proxy settings from Java control panel, Add Sun Java Plugin in windows registry for Mozilla Browsers, regression: deadlock in JNLP2ClassLoader, 1.6 update 17 and 18 throw java.lang.IndexOutOfBoundsException, and others.

- http://www.oracle.co...u21-156341.html
Changes in 1.6.0_21 (6u21)
___

- http://blogs.iss.net...tart_Jailb.html
July 12, 2010 - "... issues regarding an argument injection vulnerability affecting Sun Java JRE/JDK version 6.19 and earlier (CVE-2010-1423*)... IBM Managed Security Services (MSS)... discovered that within that timeframe (April 21 through May 26) 4,118 attacks against the CVE-2010-1423 vulnerability were observed... it was observed that most of the malicious sites were associated with the Fragus Exploit Kit. Fragus is a console application for managing and cultivating botnets... If an attack is successful, the victim becomes a member of the botnet..."
- http://web.nvd.nist....d=CVE-2010-1423
___

- http://blogs.sun.com...y/cpu_july_2010
03 Aug 2010 - "In the July 2010 Critical Patch Update, per policy, Oracle no longer provided the mapping between CVE numbers and individual patches. As a result of customer input, Oracle will provide the CVE to individual patch mapping in the July 2010 Critical Patch Update. Oracle plans to reevaluate this policy in time for the October 2010 Critical Patch Update..."

Edited by AplusWebMaster, 22 August 2010 - 08:55 AM.

[AplusWebMaster]

FYI...

Java JRE v1.6.0_22 released
- http://www.oracle.co...oads/index.html
2010-October-12

Release Notes
- http://www.oracle.co...tes-176121.html

Oracle Java SE and Java for Business Risk Matrix (CVE#)
- http://www.oracle.co...ml#AppendixJAVA

- http://krebsonsecuri...security-flaws/
October 12, 2010 - "... critical update... fixing at least 29 security vulnerabilities..."

- http://secunia.com/advisories/41791/
Release Date: 2010-10-13
Last Update: 2010-10-21
Criticality level: Highly critical
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote...
Solution Status: Vendor Patch
CVE Reference(s): CVE-2009-3555, CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3552, CVE-2010-3553, CVE-2010-3554, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3559, CVE-2010-3560, CVE-2010-3561, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3570, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574

- http://www.securityt....com/id?1024573
Oct 14 2010

Edited by AplusWebMaster, 23 October 2010 - 06:10 AM.

[AplusWebMaster]

FYI...

Have you checked Java?...
- http://blogs.technet...d-the-java.aspx
18 Oct 2010 - "... by the beginning of this year, the number of Java exploits... (... -not- attacks using JavaScript) had well surpassed the total number of Adobe-related exploits we monitored. See chart... a reminder that, in addition to running real-time protection, it is -imperative- to apply all security updates for software, no matter what your flavor might be."
Chart: http://blogs.technet...00_4ECD269A.gif

- http://krebsonsecuri...a-exploitation/
October 18, 2010 - "... the spike in the third quarter of 2010 is primarily driven by attacks on three Java vulnerabilities that have already been patched for some time now. Even so, attacks against these flaws have “gone from hundreds of thousands per quarter to millions” ..."
- http://web.nvd.nist....d=CVE-2008-5353
Last revised: 08/21/2010
CVSS v2 Base Score: 10.0 (HIGH)
- http://web.nvd.nist....d=CVE-2009-3867
Last revised: 08/21/2010
CVSS v2 Base Score: 9.3 (HIGH)
- http://web.nvd.nist....d=CVE-2010-0094
Last revised: 08/21/2010
CVSS v2 Base Score: 7.5 (HIGH)

- http://labs.m86secur...ted-by-zombies/
October 15, 2010 - "... effectively used in many other exploit tool kits. Potential victims are forced to visit Zombie’s exploit page when their browser loads an IFrame placed on a compromised website. All of the vulnerabilities exploited by this kit have been patched... 15 percent... of ‘visitors’ were successfully exploited by the Zombie Infection Kit and made to download a malicious executable. Because Java vulnerabilities accounted for 60 percent of infections, a surprising nine percent of all visitors were infected just by having an old version of java installed..."

- https://www.sans.org...issue=84#sID202
"... Eighty percent of PCs run at least one version of Java. Of those, 40 percent are running outdated versions. There is a Java update service, but user notification is slow and the service allows multiple versions of the software to run on PCs, so users' computers can be vulnerable to older attacks even if they're running a newer version of Java..."

Edited by AplusWebMaster, 25 October 2010 - 08:10 AM.

[AplusWebMaster]

FYI...

Hello? Update. Please?
- http://www.zdnet.co....-hole-10020866/
25 October, 2010 - "... Only 7% have applied the critical patch. According to Trusteer*, 68% of Internet users are still at risk from the attacks that these Java vulnerabilities expose and goes as far as to claim that it has become the single most exploitable vulnerability on the web today... these things are not called 'critical' for the heck of it. "

* http://www.trusteer....unpatched-users
Oct. 25, 2010 – "... over a week after Oracle released a critical patch for Java, more than 68 percent of Internet users are still at risk from attacks that exploit these vulnerabilities. This may be the biggest security hole on the Internet today, since 73 percent of Internet computers are using Java..."

- http://blogs.cisco.c...dscape-today-2/
October 28, 2010 - "... Cisco ScanSafe data from the past 6 months:
- http://blogs.cisco.c...va-Security.jpg
Java vs. Flash vs. PDF, Apr - Sep 2010
... for all web-based malware, 65% of what ScanSafe blocked was prior to exploit delivery, at the iframe or malicious JavaScript reference level..."
___

60 second check for updates here.

Edited by AplusWebMaster, 05 November 2010 - 09:25 PM.

[AplusWebMaster]

FYI...

Java exploits!...
- http://isc.sans.edu/...ml?storyid=9916
Last Updated: 2010-11-11 00:05:00 UTC - "... Bottom line: If you haven't done so yet, hunt down and patch every incarnation of Java on the PCs that you are responsible for."
* http://www.virustota...cd28-1289430438
File name: bad.exe
Submission date: 2010-11-10 23:07:18 (UTC)
Result: 14/43 (32.6%)

Currently Exploited Sun Java Vulnerabilities
- http://blog.sharpese...ulnerabilities/
___

60 second check for updates here.
___

- http://www.guardian....y-apache-crisis
16 November 2010

Edited by AplusWebMaster, 08 December 2010 - 09:58 AM.

[AplusWebMaster]

FYI...

Java JRE v1.6.0_23 released
- http://www.oracle.co...oads/index.html
Dec. 8, 2010
Offline Installation - jre-6u23-windows-i586.exe - 15.79 MB
[Noted: 2011.01.14 - "This release includes performance improvements and bug fixes."]

- http://www.oracle.co...tes-191058.html
"... Bug Fixes: Java SE 6u23 does not contain any additional fixes for security vulnerabilities to its previous release, Java SE 6u22. Users who have Java SE 6u22 have the latest security fixes and do not need to upgrade to this release to be current on security fixes. For other bug fixes, see the Java SE 6u23 Bug Fixes page*..."
* http://www.oracle.co...xes-191074.html
208 bug fixes ...
?? "6945145 - java_deployment - security - PKIX path validation failed: App won't start when offline when using JOGL/Win7 ..."

Edited by AplusWebMaster, 14 January 2011 - 01:35 PM.

[AplusWebMaster]

FYI...

Java vuln - patch available...
- http://secunia.com/advisories/43262/
Release Date: 2011-02-09
Criticality level: Moderately critical
Impact: DoS
Where: From remote
Solution: Apply patch via the FPUpdater tool.
... The vulnerability is reported in the following products: Sun JDK and JRE 6 Update 23 and prior, Sun JDK 5.0 Update 27 and prior, Sun SDK 1.4.2_29 and prior.
- http://www.oracle.co...476-305811.html
2011-February-08
___

- http://blogs.oracle....ve-2010-44.html
February 8, 2011 - "... the fix for this vulnerability will also be included in the upcoming Java Critical Patch Update (Java SE and Java for Business Critical Patch Update - February 2011*), which will be released on February 15th 2011..."
* http://www.oracle.co...rts-086861.html

- http://www.h-online....ty-1186135.html
9 February 2011 - "... Affected are Java SE and Java for Business in the current and all previous versions of the JDK/JRE 6, 5 and 1.4. To solve the problem, Oracle has released a hotfix* that users are advised to apply immediately, as information on how to exploit the DoS vulnerability is already freely available. The vendor also plans to release a regular Java update on 15 February."
* http://www.oracle.co....html#fpupdater

Edited by AplusWebMaster, 09 February 2011 - 12:54 PM.

[AplusWebMaster]

FYI...

Java v1.6.0_24 released
- http://www.oracle.co...oads/index.html
Feb. 15, 2011

Release Notes
- http://www.oracle.co...tes-307697.html
The full internal version number for this update release is 1.6.0_24-b07 (where "b" means "build"). The external version number is 6u24...
Bug Fixes: This release contains fixes for security vulnerabilities. For more information, please see Oracle Java SE and Java for Business Critical Patch Update advisory.
- http://www.oracle.co...011-304611.html
Feb. 2011 - "... This Critical Patch Update contains 21 new security fixes..."

Java Downloads for All Operating Systems - Recommended Version 6 Update 24
- http://java.com/en/download/manual.jsp

Which version of Java should I download for my 64-bit Windows operating system?
- http://java.com/en/d...va_win64bit.xml

Bug list:
- http://www.oracle.co...ml#AppendixJAVA
___

3rd party Java test site
- http://javatester.org/version.html
___

Java - Multiple Flaws Let Remote Users Execute Arbitary Code, Access Data, Modifiy Data, and Deny Service
- http://www.securityt....com/id/1025082
Feb 15 2011

- http://secunia.com/advisories/43262/
Last Update: 2011-02-16
Criticality level: Highly critical
Impact: Manipulation of data, Exposure of sensitive information, DoS, System access
Where: From remote...
Solution: Apply updates (see vendor's advisory).
Original Advisory: Oracle:
- http://www.oracle.co...011-304611.html
___

Most Vulnerable Browser Plug-in...
- http://www.esecurity...int.php/3925356
February 17, 2011- "... between July of 2010 and January of 2011... 42 percent of users were running vulnerable out-of-date Java plug-ins..."

Edited by AplusWebMaster, 20 February 2011 - 11:52 AM.