=====================================================================

                           CERT-Renater

               Note d'Information No. 2013/VULN037
_____________________________________________________________________

DATE                : 04/02/2013

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running Oracle Java version 7.

======================================================================
https://blogs.oracle.com/security/entry/february_2013_critical_patch_update
http://www.kb.cert.org/vuls/id/858729
______________________________________________________________________

 February 2013 Critical Patch Update for Java SE Released
By Eric P. Maurice on Feb 01, 2013

Hi, this is Eric Maurice again.

Oracle just released the February 2013 Critical Patch Update for Java
SE.  The original Critical Patch Update for Java SE was scheduled on
February 19th, but Oracle decided to accelerate the release of this
Critical Patch Update because active exploitation “in the wild” of one
of the vulnerabilities affecting the Java Runtime Environment (JRE) in
desktop browsers, was addressed with this Critical Patch Update.

In addition to a number of security in-depth fixes, the February 2013
Critical Patch Update for Java SE contains fixes for 50 security
vulnerabilities.  44 of these vulnerabilities only affect client
deployment of Java (e.g., Java in Internet browsers).  In other words,
these vulnerabilities can only be exploited on desktops through Java
Web Start applications or Java applets.  In addition, one vulnerability
affects the installation process of client deployment of Java (i.e.
installation of the Java Runtime Environment on desktops).  Note also
that this Critical Patch Update includes the fixes that were previously
released through Security Alert CVE-2013-0422.

3 of the vulnerabilities fixed in this Critical Patch Update apply to
client and server deployment of Java;   that means that these
vulnerabilities can be exploited on desktops through Java Web Start and
Java applets in Browser, or in servers, by supplying malicious input to
APIs in the vulnerable server components.  In some instances, the
exploitation scenario of this kind of bugs on servers is very
improbable; for example, one of these vulnerabilities can only be
exploited against a server in the unlikely scenario that the server was
allowed to process image files from an untrusted source.

Finally, 2 of the vulnerabilities fixed in this Critical Patch Update
only apply to server deployment of the Java Secure Socket Extension
(JSSE).

The maximum CVSS Base Score for the vulnerabilities fixed in this
Critical Patch Update is 10.0.   This score affects 26 vulnerabilities:
23 of which are client-side vulnerabilities, and 3 applicable to client
and server deployments.

This Critical Patch Update is consistent with previous Java security
releases, in that most of the vulnerabilities addressed in this
Critical Patch Update only affect Java and Java FX client deployments.
This reflects the fact that the Java server environment is more secure
than the Java Runtime Environment in browsers because servers operate
in a more secure and controlled environment.

 The popularity of the Java Runtime Environment in desktop browsers,
and the fact that Java in browsers is OS-independent, makes Java an
attractive target for malicious hackers.  Note however that, as stated
in a previous blog entry, Oracle reports the most severe CVSS Base
Score.

Furthermore, to help mitigate the threat of malicious applets (Java
exploits in internet browsers), Oracle has switched the Java security
settings to “high” by default.  The "high" security setting requires
users to expressly authorize the execution of unsigned applets allowing
a browser user to deny execution of a suspicious applet (where in the
past a suspicious applet could execute "silently").  As a result,
unsuspecting users visiting malicious web sites will be notified before
an applet is run and will gain the ability to deny the execution of the
potentially malicious applet.  In addition, Oracle has recently
introduced the ability for users to easily disable Java in their
browsers through the Java Control Panel on Windows.

As stated at the beginning of this blog, Oracle decided to release this
Critical Patch Update earlier than planned.  After receiving reports of
a vulnerability in the Java Runtime Environment (JRE) in desktop
browsers, Oracle quickly confirmed these reports, and then proceeded
with accelerating normal release testing around the upcoming Critical
Patch Update distribution, which already contained a fix for the
issue.  Oracle felt that, releasing this Critical Patch Update two
weeks ahead of our intended schedule, instead of releasing a one-off
fix through a Security Alert, would be more effective in helping
preserve the security posture of Java customers.  The size of this
Critical Patch Update, as well as its early publication, demonstrate
Oracle’s intention to accelerate the release of Java fixes,
particularly to help address the security worthiness of the Java
Runtime Environment (JRE) in desktop browsers.

For more information:

The advisory for the February 2013 Critical Patch Update is located at
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html

More information about setting the security level in the Java client is
available at
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html

More information about Oracle Software Security Assurance is located at
http://www.oracle.com/us/support/assurance/index.html

______________________________________________________________________


National Cyber Awareness System

US-CERT Alert TA13-032A
Oracle Java 7 Multiple Vulnerabilities

Original release date: February 01, 2013
Last revised: --

Systems Affected

     Any system using Oracle Java 7 (1.7, 1.7.0) including

     * Java Platform Standard Edition 7 (Java SE 7)
     * Java SE Development Kit (JDK 7)
     * Java SE Runtime Environment (JRE 7)

     All versions of Java 7 before Update 13 are affected. Web
     browsers using the Java 7 plug-in are at high risk.


Overview

   Multiple vulnerabilities in Java 7 could allow an attacker to
   execute arbitrary code on a vulnerable system.


Description

   The Oracle Java SE Critical Patch Update Advisory for February 2013
   addresses multiple vulnerabilities in the Java Runtime Environment
   (JRE). Both Java applets delivered via web browsers and stand-alone
   Java applications are affected, however web browsers using the Java
   7 plug-in are at particularly high risk. Java 7 versions below
   Update 13 are affected.

   The Java 7 plug-in, the Java Deployment Toolkit plug-in, and Java
   Web Start can be used as attack vectors. An attacker could use
   social engineering techniques to entice a user to visit a link to a
   website hosting a malicious Java applet. An attacker could also
   compromise a legitimate web site and upload a malicious Java applet
   (a "drive-by download" attack).

   Some vulnerabilities affect stand-alone Java applications,
   depending on how the Java application functions and how it
   processes untrusted data.

   Reports indicate that at least one of these vulnerabilities is
   being actively exploited.

   Further technical details are available in Vulnerability Note
   VU#858729.


Impact

   By convincing a user to load a malicious Java applet or Java
   Network Launching Protocol (JNLP) file, an attacker could execute
   arbitrary code on a vulnerable system with the privileges of the
   Java plug-in process.

   Stand-alone java applications may also be affected.


Solution

   Update Java

   The Oracle Java SE Critical Patch Update Advisory for February 2013
   states that Java 7 Update 13 addresses these vulnerabilities.

   Disable Java in web browsers

   These and previous Java vulnerabilities have been widely targeted
   by attackers, and new Java vulnerabilities are likely to be
   discovered. To defend against this and future Java vulnerabilities,
   consider disabling Java in web browsers until adequate updates have
   been installed. As with any software, unnecessary features should
   be disabled or removed as appropriate for your environment.

   Starting with Java 7 Update 10, it is possible to disable Java
   content in web browsers through the Java control panel applet. From
   Setting the Security Level of the Java Client:

   For installations where the highest level of security is required,
   it is possible to entirely prevent any Java apps (signed or
   unsigned) from running in a browser by de-selecting Enable Java
   content in the browser in the Java Control Panel under the Security
   tab.

   If you are unable to update to at least Java 7 Update 10 please see
   the solution section of Vulnerability Note VU#636312 for
   instructions on how to disable Java on a per-browser basis.

   Restrict access to Java applets

   Network administrators unable to disable Java in web browsers may
   be able to help mitigate these and other Java vulnerabilities by
   restricting access to Java applets using a web proxy. Most web
   proxies have features that can be used to block or whitelist
   requests for .jar and .class files based on network location.
   Filtering requests that contain a Java User-Agent header may also
   be effective. For environments where Java is required on the local
   intranet, the proxy can be configured to allow access to Java
   applets hosted locally, but block access to Java applets on the
   internet.


References

 * Vulnerability Note VU#858729
   <http://www.kb.cert.org/vuls/id/858729>

 * Oracle Java SE Critical Patch Update Advisory - February 2013

<http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html>

 * Setting the Security Level of the Java Client

<http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html>

 * The Security Manager

<http://docs.oracle.com/javase/tutorial/essential/environment/security.html>

 * How to disable the Java web plug-in in Safari
   <https://support.apple.com/kb/HT5241>

 * How to turn off Java applets

<https://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets>

 * NoScript
   <http://noscript.net/>

 * Securing Your Web Browser
   <https://www.us-cert.gov/reading_room/securing_browser/#Safari>

 * Vulnerability Note VU#636312
   <http://www.kb.cert.org/vuls/id/636312#solution>

 * Java SE Development Kit 7, Update 13 (JDK 7u13)

<http://www.oracle.com/technetwork/java/javase/7u13-relnotes-1902884.html>

 * Do Devs Care About Java (In)Security? (Comment about proxy
   filtering)

<http://taosecurity.blogspot.com/2012/11/do-devs-care-about-java-insecurity.html?showComment=1353874245992#c4794680666510382012>


Revision History

  February 01, 2013: Initial release

 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA13-032A Feedback VU#858729" in
   the subject.
 ____________________________________________________________________

   Produced by US-CERT, a government organization.
 ____________________________________________________________________

This product is provided subject to this Notification:
http://www.us-cert.gov/privacy/notification.html

Privacy & Use policy:
http://www.us-cert.gov/privacy/

This document can also be found at
http://www.us-cert.gov/cas/techalerts/TA13-032A.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html

======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================