New update now available, released by Oracle: Java 7, Update 11. Fixes a critical flaw, CVE-2013-0422. This update addresses the MBeanInstantiator in Java Runtime. It allows attackers to execute arbitrary code via loading unspecified classes.
A big response from security bloggers have sparked harsh criticism on Oracle. See information from Kafeine, ThreatPost, and Krebs. There are more bloggers talking about it. From what it seems, Oracle was rather stubborn about this, as they’ve been before.
The update is available via Java.com Web site, or can be downloaded from with Java via the Java Control Panel. Existing users should be able to update by going to the Control Panel and entering the Java Control Panel, or by searching for “Java” and clicking the “Update Now” button from the Update tab.
This changes the way that Java handles different applications. According to Oracle’s advisory: “The default security level for Java applets and web start applications has been increased from “Medium” to “High”. This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the “High” setting the user is always warned before any unsigned application is run to prevent silent exploitation.”
Apparently, at one time, the issue was fixed. However, this was apparently ineffective. Many security bloggers say to just remove Java. Forget about it, if you don’t need it. It’ll save you time to update it (all the time!) and security trouble.
Adobe will release a round of updates on Patch Tuesday (as usual). This month, Patch Tuesday (which involves Microsoft and Adobe, sometimes Oracle) will be on January 8. It’s first updates involve vulnerabilities in Reader and Acrobat products, while the other issues involve ColdFusion vulnerabilities.
“Adobe is aware of reports of security issues in ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX that are being exploited in the wild. We are currently evaluating the reports and plan to issue a security advisory as soon as we have determined mitigation guidance for ColdFusion customers and a timeline for a fix,” said Adobe’s Wendy Poland in an advisory posted January 3.
From the good news side of things, none of these vulnerabilities are being actively exploited in the wild. But, let’s not get too hasty to underestimate threats. Make sure to get patched on Tuesday!
Vulnerabilities in Adobe Reader and Acrobat versions 11.0.0 and earlier are going to be patched next week.
Last month, there were issues in Flash Player and ColdFusion. Looks like these are favorites of hackers as of late.
Protect yourself from vulnerabilities with Kaspersky ONE Security, one good price ($79.95) per year for awesome protection.