Archive

Archive for the ‘Security’ Category

New exploit for IE 7, 8 & 9 on Windows XP, Vista, and 7

September 17, 2012 2 comments

There is a new exploit for Internet Explorer 7, 8, and 9 browsers running Windows XP, Vista and 7. Computers can be compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user logged in. Since Microsoft has not released a patch for this vulnerability yet, Internet Explorer users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available.

Microsoft has issue a security advisory about the situation: http://technet.microsoft.com/en-us/security/advisory/2757760

UPDATE:

  • Sep 19th, 2012 – Microsoft released a “fix-it” solution. It has been verified working. More information can be found here.
  • Sep 20th, 2012 – Microsoft updates the “fix-it” advisory to revision 2.0.  Requirements clarified: 1) “For computers that are running 64-bit operating systems, the following Fix it solution only applies to 32-bit versions of Internet Explorer.” 2) Before you apply this Fix it solution, you must ensure that Internet Explorer is fully updated by using the Windows Update service.
  • Sep 21st, 2012 – Microsoft releases Security Bulletin MS12-063 and Cumulative Security Update for Internet Explorer (KB2744842). Users and Administrators should install the update as soon as possible.

New Java Exploit

August 21, 2012 Leave a comment

Multiple vulnerabilities have been found in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier that allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by

  1. using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then
  2. using “reflection with a trusted immediate caller” to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.

For more information, see CVE-2012-4681: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681

Oracle has addressed the vulnerability in following security alert: http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html

UPDATE:

  • Aug. 30, 2012: Oracle has released updates for both JRE 6 (Update 35) and 7 (Update 7). Users are advised to update their JRE as soon as possible.
  • Sept. 6, 2012: Apple today released Java 6 Update 35 for OS X. Nothing lately in the news about the known bugs still in Java 7.