Critical Update Java SE 7 Update 13 with the removal of 50 uyazvimosteyKompaniya Oracle introduced the biggest in the history of updates to fix security problems in Java SE - Java SE 7 Update 13 and Java SE 6 Update 39, which eliminated the 50 vulnerabilities, 26 of which have been assigned the highest level of danger (CVSS Score 10.0), implying the possibility of going beyond an isolated virtual machine environment and the initiation of the code in the system when processing specially decorated content. Initially, the minor release was scheduled for February 19, but was released early, as one critical vulnerability patched in the browser Java-Plugin has a zero-day nature of the problem for which the network has already recorded facts of exploitation.
All critical problem prone remote operation without requiring authentication. 23 critical vulnerabilities occur at the client side processing in the browser plug-in special layout Java Web Start application or Java-applet, three issues are subject to both client and server systems (operating through an appeal to the server API). Separately, the two vulnerabilities in the Server component JSSE (Java Secure Socket Extension).
Of the total number of problems 49 vulnerabilities can be exploited remotely to attack vector through the network without prior authentication. 39 vulnerabilities found in the Java Runtime Environment, and 11 in JavaFX. Of vulnerabilities in JRE two problems found in the 2D-subsystem 4 in CORBA, 4 in AWT, 10 in the Deployment Toolkit, 3 in JMX, five libraries, two in JSSE, one in Java Beans, 1 scripting system, 1 in the sound subsystem, one in the installer, 1 in JAX-WS, 1 in JAXP, 1 in RMI, 1 in the network subsystem.
The announcement Oracle says that the risk of exploitation of security problems decreased due to the fact that starting with Java SE 7 Update 11 has been changed the default value for security. If earlier in the applet to use the average level of security, it is now involved the highest levels, including additional checks and require mandatory manual confirmation run in the browser unsigned applets, Java Web Start, or JavaFX. However, Adam Gowdiak, a famous Polish security researcher, said recently that the levels of security you can get around and they are effective only in theory. In practice, however, quickly managed to find a vulnerability that could allow malicious software to fulfill even the highest activation level of protection, generally denies running unsigned applets. Using the vulnerability malware as before can be run from the open page, completely transparent to the user.
Link: http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
No comments:
Post a Comment