From: US-CERT Alerts    
   Organization: US-CERT - +1 202-205-5266   
   Subject: US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass   
   Vulnerability   
      
      
   -+-+-BEGIN PGP SIGNED MESSAGE-+-+-   
   Hash: SHA1   
      
   National Cyber Awareness System   
      
   US-CERT Alert TA13-010A   
   Oracle Java 7 Security Manager Bypass Vulnerability   
      
   Original release date: January 10, 2013   
   Last revised: --   
      
   Systems Affected   
      
        Any system using Oracle Java 7 (1.7, 1.7.0) including   
      
        * Java Platform Standard Edition 7 (Java SE 7)   
        * Java SE Development Kit (JDK 7)   
        * Java SE Runtime Environment (JRE 7)   
      
        All versions of Java 7 through update 10 are affected.  Web   
        browsers using the Java 7 plug-in are at high risk.   
      
      
   Overview   
      
      A vulnerability in the way Java 7 restricts the permissions of Java   
      applets could allow an attacker to execute arbitrary commands on a   
      vulnerable system.   
      
      
   Description   
      
      A vulnerability in the Java Security Manager allows a Java applet   
      to grant itself permission to execute arbitrary code. An attacker   
      could use social engineering techniques to entice a user to visit a   
      link to a website hosting a malicious Java applet. An attacker   
      could also compromise a legitimate web site and upload a malicious   
      Java applet (a "drive-by download" attack).   
      
      Any web browser using the Java 7 plug-in is affected. The Java   
      Deployment Toolkit plug-in and Java Web Start can also be used as   
      attack vectors.   
      
      Reports indicate this vulnerability is being actively exploited,   
      and exploit code is publicly available.   
      
      Further technical details are available in Vulnerability Note   
      VU#625617.   
      
      
   Impact   
      
      By convincing a user to load a malicious Java applet or Java   
      Network Launching Protocol (JNLP) file, an attacker could execute   
      arbitrary code on a vulnerable system with the privileges of the   
      Java plug-in process.   
      
      
   Solution   
      
      Disable Java in web browsers   
      
      This and previous Java vulnerabilities have been widely targeted by   
      attackers, and new Java vulnerabilities are likely to be   
      discovered. To defend against this and future Java vulnerabilities,   
      disable Java in web browsers.   
      
      Starting with Java 7 Update 10, it is possible to disable Java   
      content in web browsers through the Java control panel applet. From   
      Setting the Security Level of the Java Client:   
      
      For installations where the highest level of security is required,   
      it is possible to entirely prevent any Java apps (signed or   
      unsigned) from running in a browser by de-selecting Enable Java   
      content in the browser in the Java Control Panel under the Security   
      tab.   
      
      If you are unable to update to Java 7 Update 10 please see the   
      solution section of Vulnerability Note VU#636312 for instructions   
      on how to disable Java on a per browser basis.   
      
      
   References   
      
    * Vulnerability Note VU#625617   
         
      
    * Setting the Security Level of the Java Client   
      
      
      
    * The Security Manager   
         
      
    * How to disable the Java web plug-in in Safari   
         
      
    * How to turn off Java applets   
      
      
      
    * NoScript   
         
      
    * Securing Your Web Browser   
         
      
    * Vulnerability Note VU#636312   
         
      
      
   Revision History   
      
     January 10, 2013: Initial release   
      
    ____________________________________________________________________   
      
      Feedback can be directed to US-CERT Technical Staff. Please send   
      email to  with "TA13-010A Feedback VU#625617" in   
      the subject.   
    ____________________________________________________________________   
      
      Produced by US-CERT, a government organization.   
    ____________________________________________________________________   
      
   This product is provided subject to this Notification:   
   http://www.us-cert.gov/privacy/notification.html   
      
   Privacy & Use policy:   
   http://www.us-cert.gov/privacy/   
      
   This document can also be found at   
   http://www.us-cert.gov/cas/techalerts/TA13-010A.html   
      
   For instructions on subscribing to or unsubscribing from this   
   mailing list, visit http://www.us-cert.gov/cas/signup.html   
   -+-+-BEGIN PGP SIGNATURE-+-+-   
   Version: GnuPG v1.4.5 (GNU/Linux)   
      
   iQEVAwUBUO83IXdnhE8Qi3ZhAQLdxQf6A2LhLrArDieg41fxTuIViOXbgH6fZrDt   
   6bODaZIeTcvQfMMURbUb8MnTQEe7ogNbytb+XQaEzXE6A0YMdWp+93TxFy80wUI0   
   VpF0lBDwNyeAlwtzicLSQa5oa5Me0k5KPVUn9/mFJZh5Ff0cYjW1dt8dfXJUbH9/   
   OZ6ZJsnJchymJFlVax3Y87yZh9fPQC4n6dJ86CdLXqC9GaBihgBd1DUpborfWYoR   
   njvrtbcX+7iy+J8fS,8/JtnQ5M+uilvqxrdU/Z9SdmebIF5HQjafLae9OmwH7Te   
   nxUcwwmuNqIA1Y9aN2DrStv+HnTi121DIxyaVgNOKjPnO/t5mDPKlw   
   xi3d   
   -+-+-END PGP SIGNATURE-+-+-   
      
   -+-   
    + Origin: US-CERT - +1 202-205-5266 (1:396/3)   
      
    =-=-=-=-=-=-=-= .END of Forwarded message =-=-=-=-=-=-=-=   
      
   --   
   Be well    :^)   
      
    : Ben  aka cMech  Web: http://cmech.dynip.com:8080   
    :           Home page: http://users.lusfiber.net/~fido4cmech   
    :   
    +    WildCat! Board 24/7  +1-337-984-4794  any BAUD 8,N,1   
   --- GoldED+/W32-MSVC   
    * Origin: FIDONet - The Positronium Repository (1:393/68)