BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Java: Sizeable Critical Patch Update and Two Sugars, Please

Posted April 15, 2013    BeyondTrust Research Team

Oracle is rolling out yet another Critical Patch Update (CPU) for Java – and this time they’ve fixed 39 remotely exploitable vulnerabilities. This is not to say that all of these vulnerabilities may provide an attacker with remote code execution. However, the highest CVSS Base Score of all the vulnerabilities was a 10.0, meaning that an attacker would have gained a considerable amount of capabilities on the target machine if the vulnerability was properly exploited. The amount of vulnerabilities with a 10.0 CVSS score is not known, but if it is anything like February’s CPU, there may be a considerable amount.

This Critical Patch Update fixes a total of 42 security fixes, which is slightly outclassed by February’s CPU which brought 55 security updates, including the updated February re-release prompted by attacks occurring in the wild.

April’s CPU is coming out tomorrow, April 16th, with another CPU scheduled for June 18th, 2013. Oracle had promised in the past that they would be increasing the frequency of Java patches, so there is some likelihood of another unscheduled patch. As always, ensure that your systems that utilize Java are up-to-date using Retina CS, which also provides Java patching. If you have systems with Java installed that do not need Java, uninstall Java immediately and save yourself the headache.

Update: Java 7 Update 21 and Java 6 Update 45 have been released! For more information about the patch contents, check out Oracle’s risk matrix, which details the CVEs addressed in this latest patch. For more information about a few exploitable vulnerabilities that were patched in this update, read Adam Gowdiak’s (Security Explorations) description of some of the vulnerabilities they discovered and reported to Oracle. Also included in this update are a few changes to Java’s security prompts, which will prove useful for avoiding malicious Java applets that were self-signed or unsigned.

Tags:
, , , , , ,

Leave a Reply

Additional articles

skeletonkey3_713678_713680

Stopping the Skeleton Key Trojan

Posted June 29, 2015    Robert Auch

Earlier this year Dell’s SecureWorks published an analysis of a malware they named “Skeleton Key”. This malware bypasses authentication for Active Directory users who have single-factor (password only) authentication. The “Skeleton Key” attack as documented by the SecureWorks CTU relies on several critical parts.

Tags:
, , , , ,
webinar 2

On Demand Webinar: 10 Steps to Building an Effective Vulnerability Management Program

Posted June 26, 2015    BeyondTrust Software

In this on demand webinar, Cybersecurity Expert, Derek A.Smith will take you through his 10 steps for a successful vulnerability management program and how to get started now.

Tags:
, ,
AHHA_PRO.LOGO

Privileged Account Management – Another AH-HA in Cyber Security

Posted June 25, 2015    Nigel Hedges

I strongly believe that the Top 4 mitigation strategies don’t just simply apply to Australian organizations, it should be a global realization, a worldwide “ah ha!” for those still not quite understanding the importance here. Here’s a refresher (or intro) on the Top 4 mitigation strategies. Read on…

Tags:
, ,