Oracle heeft updates voor versies 6.0 en 7.0 voor zowel de developmentkit als de runtime-environment van Java Standard Edition uitgebracht. Deze updates moeten onder meer een ernstig lek in Java 7.0 dichten, waarvan eerder deze week bekend werd dat het actief misbruikt werd. Meer informatie over de beveiligingsproblemen kunnen in onderstaand security-bulletin worden gevonden.
Security Alert for CVE-2012-4681 Released
Oracle has just released Security Alert CVE-2012-4681 to address 3 distinct but related vulnerabilities and one security-in-depth issue affecting Java running in desktop browsers. These vulnerabilities are: CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, and CVE-2012-0547. These vulnerabilities are not applicable to standalone Java desktop applications or Java running on servers, i.e. these vulnerabilities do not affect any Oracle server based software.
Vulnerabilities CVE-2012-4681, CVE-2012-1682, and CVE-2012-3136 have each received a CVSS Base Score of 10.0. This score assumes that the affected users have administrative privileges, as is typical in Windows XP. Vulnerability CVE-20120-0547 has received a CVSS Base Score of 0.0 because this vulnerability is not directly exploitable in typical user deployments, but Oracle has issued a security-in-depth fix for this issue as it can be used in conjunction with other vulnerabilities to significantly increase the overall impact of a successful exploit.
If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system. Note that this malware may in some instances be detected by current antivirus signatures upon its installation.
Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alertas soon as possible. Furthermore, note that the technical details of these vulnerabilities are widely available on the Internet and Oracle has received external reports that these vulnerabilities are being actively exploited in the wild.
For more information:
- Developers should download the latest release at http://www.oracle.com/technetwork/java/javase/downloads/index.html
- Java users should download the latest release of JRE at http://java.com, and of course
- Windows users can take advantage of the Java Automatic Update to get the latest release.
- The Advisory for Security Alert CVE-2012-4681 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
- Users can verify that they’re running the most recent version of Java by visiting: http://java.com/en/download/installed.jsp
- Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml