[ISN] Java Vulnerability Affects 1 Billion Plug-ins

http://www.informationweek.com/security/application-security/java-vulnerability-affects-1-billion-plu/240007985

By Mathew J. Schwartz
InformationWeek
September 26, 2012

Anyone still using a Java plug-in in their Web browser, beware: Another major, 
new--and as yet unpatched--vulnerability has been spotted in Java.

Unfortunately, unlike a number of the other, recently spotted Java bugs, 
the latest security issue affects not just the current, version 7 of 
Java, but also versions 5 and 6. In other words, every version of Java 
released for the past eight years, collectively used by approximately 
one billion people, is vulnerable to the exploit.

Security researcher Adam Gowdiak of Security Explorations announced the 
bug discovery Tuesday in a post to the Full Disclosure mailing list. 
"The impact of this issue is critical--we were able to successfully 
exploit it and achieve a complete Java security sandbox bypass in the 
environment of Java SE 5, 6, and 7." In other words, an attacker could 
use the exploit to run arbitrary code on, and remotely compromise, a 
vulnerable system.

Gowdiak said his firm successfully demonstrated the vulnerability on 
Java SE 5 Update 22, Java SE 6 Update 35, and Java SE 7 Update 7, using 
a fully patched 32-bit Windows 7 system, as well as five different Web 
browsers: Firefox 15.0.1, Google Chrome 21.0.1180.89, Internet Explorer 
9.0.8112.16421 (update 9.0.10), Opera 12.02 (build 1578), and Safari 
5.1.7 (7534.57.2).

[...]


--
ExpandingSecurity.com Live OnLine classes won’t wreck your schedule.
Get that cert and be done before 2012 ends. Last ISSAP 2012 class starts
Sept. 25th. Last 2012 CISSP and CEH starts Oct. 1:
CEH info signup: http://www.expandingsecurity.com/product/ceh-certified-ethical-hacker-online/
CISSP info signup: http://www.expandingsecurity.com/product/cissp-live-online-10-week-course/
ISSAP info signup: http://www.expandingsecurity.com/product/issap-information-systems-security-architecture-professional/