Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0006 Oracle releases Security Alert for CVE-2013-0422 14 January 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: JDK and JRE 7 Update 10 and earlier Operating System: Windows UNIX variants (UNIX, Linux, OSX) Mobile Device Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-0422 CVE-2012-3174 Member content until: Wednesday, February 13 2013 Reference: ESB-2013.0067 Comment: The vulnerability CVE-2013-0422 is currently being widely exploited in malware kits and the details of this vulnerability are publicly documented and freely available. OVERVIEW Oracle have released Security Alert for CVE-2013-0422 to fix this vulnerability and another with a CVSS score of 10.0 in Oracle Java SE. [1] IMPACT Oracle has published updates for the Oracle Java SE product group. The exploitable vulnerabilities apply to Java running in web browsers and on desktops. The Security Alert contains 2 new security fixes for Oracle Java SE. Both vulnerabilities when exploited allow arbitrary code to executed. Included with this update is a change to the default Java Security Level setting, from "Medium" to "High". This new setting will cause users always to be prompted before any unsigned Java applet or Java Web Start application is run. [1] MITIGATION Due to the high severity of the vulnerabilities, Oracle strongly recommends that customers apply this update as soon as possible. REFERENCES [1] Oracle Security Alert for CVE-2013-0422 http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUPN6C+4yVqjM2NGpAQIaNw/8CUuH9nW7ROE2WICKicVNIxW9cEjrzulf vInGJIJN1UWjCbyeC7MpHzMiuEXiB46eY+rWIfGnTqZMDg+sC4pNprNECPSMvYoM nkiBCH4lLNpKTrgOJgTlPBLv70FRkTvRoWFKoxnPrWS5wx8Jk6ovTckRYjR8J1Qz R0PdRamKzqm+1+vtaXzeV9pqBcEZurhwfaWH1WrAVBcoTVgGfAi7FgNq+Yw1u9BS 6J6vCPfAWdP0uP8KW78aSwqJknwymh34eJukgW0lm1OOfW2wut5kg352mvaFU5FE x/0rmQYI+3eWc+QnTtlWc67k8MNb43PEGeyTw4PVU90qPBpQv2yN0BKPhny9AzUt YZKvQ4YFQ7d2TpWX1eX0PnUYzm/wq7hdoS68/vucpbKzFBoCABiUgpwb0nJ6WEUE Hmr1a4F+dlLdSvEhimrRXO0Zcpa7ZSh/RzcE7XHCP5fg8buphpdeuGxvGR68KefA vd9VltGZFCgKFhOC3YA7O7Or9g1iRBM5vHT6k80oB9DdgPX+Ubh88eCrA43JyOE2 zUuGamBvJm94+PFAtJTvS0eC7BnNRQHzy16IQ5a+fvJhe+JwOybVR23eGmeiKnRm 9YitkWt4ChkjlIsnDnhXIZ3xju10AUDiie4ji913e0ep5ok1Eg0T2QeY5EsRgX+0 3jSGfj/nEfE= =tk0n -----END PGP SIGNATURE-----