US-CERT: Java vulnerability

Fri 11 January 2013

A bad (as in it's a 10) Java vulnerability has been discovered.  Affecting Java 7 Update 10 and prior versions, this vulnerability can allow an untrusted Java applet to escalate its privileges without requiring code signing.

Currently, the only defense to this vulnerability is to disable Java in your browser.  Additional information is provided by US-CERT.

Update at 20:18 UTC 11 Jan

I good resource to follow this story is krebsonsecurity.com.

Update at 22:05 UTC 14 Jan

The US-CERT has released the following bulletin:

US-CERT Current Activity
Oracle Releases Out-of-Band Patch to Address Java 7 Vulnerability

Original release date: January 14, 2013
Last revised: January 14, 2013

Oracle has released an out-of-band patch to address the recently
announced vulnerability in Java Runtime Environment (JRE) 7. US-CERT
encourages users and administrators to review the bulletin and follow
best-practice security policies to determine which updates should be
applied.

Relevant URL(s):
<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>

<http://www.us-cert.gov/current/#us_cert_releases_oracle_java>

By Sparks, Category: Information Security

Tags: Java / vulernability /