Advertisements

Vulnerability

  • A new vulnerability in Java has been discovered.  The vulnerability allows an attacker to gain control of a victim’s computer. The researchers have confirmed that Java SE 5 – Update 22 (Java SE 5 build 1.5.0_22-b03) Java SE 6 – Update 35 (Java SE 6 build 1.6.0_35-b10 ) Java SE 7 Update 7 (Java SE 7 build 1.7.0_07-b10) This vulnerability is caused by a discrepancy with how the Java virtual machine handles defined data types and in doing so violates a fundamental security constraint in the Java runtime, allowing a complete bypass of the Java sandbox. The flaw allows the attacker to gain complete control of a victim’s machine through a malicious website.  Affected web browsers are Safari 5.1.7 Opera 12.02 Chrome 21.0.1180.89 Firefox 15.0.1 Internet Explorer 9.0.8112.16421 Even with fully patched Windows 7 32-bit operating systems you are susceptible to the attack. So far there are no reports of the flaw being used in any malware.  I would take a few preventative steps Reducing the number of active runtimes (code execution environments) on your system If you do not need Java uninstalling or disable it Oracle released a fix for the most critical vulnerabilities on August 30.  The last exploit would allow an attacker to use a malicious Java applet to install programs, or read and change data on the system with the privileges of the current user. But now another flaw in that fix allows a hacker to bypass the patch. That bug in Oracle’s patch still hasn’t been patched, leaving users vulnerable to both the new flaw and the previous attack.  It’s not yet known when or if Oracle will fix this issue.  Oracle has been provided with a technical overview of the bug and example code outlining the flaw but has not yet acted upon it.
  • September 18, 2012

    Microsoft Internet Explorer Security Flaw

    Microsoft discovered a bug or as us techies call it zero day vulnerability in the Internet Explorer web browser.  The bug makes PCs vulnerable to attacks by hackers and malicious code.  The security flaw affects hundreds of millions of Internet Explorer browser users.  Microsoft said attackers can exploit the bug to infect the PC of somebody who visits a malicious website and then take control of the victim’s computer. All but one supported edition of IE is affected: 2001’s IE6, 2006’s IE7, 2009’s IE8 and last year’s IE9. Together, those browsers accounted for 53% of all browsers used worldwide.  The only exception is  IE10, the browser bundled with the new Windows 8, which does not contain the bug. Windows users are advised to switch from Internet Explorer to Chrome, Firefox or Opera until the bug is patched.  Microsoft did not say how long that will take, but several security researchers said they expect the update within a week.  The when Microsoft patches it will be rated “critical” the company’s highest threat ranking. Update: Microsoft will be releasing an out of band “critical” patch on Friday at close to 10 a.m. PT to patch this vulnerability.
  • Oracle Zero Day Vulnerability Still Not Patched after April’s patch release with had 88 patches.  The vulnerability allows an attacker to perform a man in the middle attack and capture information exchanged between clients and databases.  The vulnerability was reported in 2008 and has believed to been around since 1999 when the TNS Listener feature was added to Oracles product line.  Oracle has workarounds for the zero-day flaw which was found in there database server products.  Oracle has gone as far to release a security alert: Oracle Security Alert for CVE-2012-1675 http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html The vulnerability is in the TNS listener which has been recently disclosed as “TNS Listener Poison Attack” affecting the Oracle Database Server.  The products affected are Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3, Oracle Database 11g Release 1, version 11.1.0.7, Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5, Fusion Middleware, Enterprise Manager and E-Business Suite.  Oracle has released work arounds which can be found at My Oracle Support Note 1340831.1 and My Oracle Support Note 1453883.1.