Tuesday, March 5, 2013

Java Updates!
Apple: JRE 6u43
Oracle: Java Plug-in 7u17

--
DéDéDéjà vVvVu bZzzt@_@

Three Java patches are out, again!

I) From Apple: Java for Mac OS X 10.6 Update 14

This update includes:

- A) JRE (Java Runtime Engine) version 6u43 (1.6 update 43), installed into OS X. 
- B) Java Plug-in version 6u43
About Java for Mac OS X 10.6 Update 13
Java for Mac OS X 10.6 Update 13 delivers improved security, reliability, and compatibility by updating Java SE 6 to 1.6.0_41.

On systems that have not already installed Java for Mac OS X 10.6 update 9 or later, this update will configure web browsers to not automatically run Java applets. Java applets may be re-enabled by clicking the region labeled "Inactive plug-in" on a web page. If no applets have been run for an extended period of time, the Java web plug-in will deactivate.

Please quit any web browsers and Java applications before installing this update. 
About the security content of Java for OS X 2013-002 and Mac OS X v10.6 Update 14

Impact: Multiple vulnerabilities in Java 1.6.0_41

Description: Multiple vulnerabilities existed in Java 1.6.0_41, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues were addressed by updating to Java version 1.6.0_43. Further information is available via the Java website at
http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html 
CVE-ID

CVE-2013-0809

CVE-2013-1493

II) From Apple: Java for OS X 2013-002, for OS X 10.7 and 10.8.
About Java for OS X 2013-002

Java for OS X 2013-001 delivers improved security, reliability, and compatibility by updating Java SE 6 to 1.6.0_41.

On systems that have not already installed Java for OS X 2012-006, this update disables the Java SE 6 applet plug-in. To use applets on a web page, click on the region labeled "Missing plug-in" to download the latest version of the Java applet plug-in from Oracle.

Please quit any web browsers and Java applications before installing this update. 
About the security content of Java for OS X 2013-002 and Mac OS X v10.6 Update 14

Impact: Multiple vulnerabilities in Java 1.6.0_41

Description: Multiple vulnerabilities existed in Java 1.6.0_41, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues were addressed by updating to Java version 1.6.0_43. Further information is available via the Java website at
http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html 
CVE-ID

CVE-2013-0809

CVE-2013-1493
As per usual, Apple's documentation is a MESS. The security page for Java for OS X 2013-002 is inexplicably labeled as being for 2013-001. (0_o) Hopefully, when you visit the page, someone at Apple will have noticed and repaired the blundering. Again, this is a long term problem with Apple's documentation team, incredibly confusing, annoying and dysfunctional. I'm calling them out, yet again. 

Dear Apple, please FIX YOUR DOCUMENTATION TEAM! For REALZ!


III) From Oracle: Java Plug-in 7u17, for OS X 10.7.3 - 10.8 only (not 10.6).
Java software for your computer, or the Java Runtime Environment, is also referred to as the Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, or Java download.
Oracle Security Alert for CVE-2013-1493

Description

This Security Alert addresses security issues CVE-2013-1493 (US-CERT VU#688246) and another vulnerability affecting Java running in web browsers. These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software.

These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.

Due to the severity of these vulnerabilities, and the reported exploitation of CVE-2013-1493 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
I've tested this update. The 'Control Panel' system preferences pane is the same cruddy thing as last time. The checkboxes do NOT work. Jam the 'Security' setting to 'Very High' and even then, don't count on it actually working properly. Instead, if you must use Java, keep Java OFF in all your web browsers until you are at a verified safe website, then turn Java on, then reload the website for functionality. Then, BEFORE you leave that web page, turn Java OFF again.

The concept is to avoid any possibility of drive-by Java infections from maliciously hacked web pages. We learned last month that an entirely reputable iOS development website was maliciously hacked such that many developers were drive-by infected via Java. This included certain individual computers at Apple, Twitter, Facebook and others being infected. IOW, it can be extremely difficult to know if a website is absolutely safe. The best option is to Just Turn Java OFF. Only turn it on when a website REQUIRES Java to run for a service you must use. Then be sure to Just Turn Java OFF again BEFORE you leave that website. This is critical. Java is that dangerous.

Summary:

For users of OS X 10.6, only, install Java for Mac OS X 10.6 Update 14.

For users of OS X 10.7.3 through 10.8.x, install BOTH Java for OS X 2013-002 and Oracle's Java Plug-in 7u17.

Be as safe as possible when surfing the Internet. Just Turn Java OFF until you require it. Just Turn Java OFF again immediately after you are finished using it.

Be seeing you, soon no doubt, for the next set of Java updates.

--


No comments:

Post a Comment