Oracles Java -- The undying list of vulnerabilities and exploits.

Many people think that Microsoft is still the source of vulnerabilities to viruses and exploits on their computers. This is no longer the case as improvements to Microsofts security model and Windows Update have significantly lowered the threat level of Microsoft products over the last few years. While you are still very vulnerable if using very old products that are no longer updated, like Windows 2000 or Windows NT4, new Windows versions like Windows 7, Vista, 2008 (and to a lesser extent XP) are far more secure than all of their previous operating systems. They are beginning to shake their reputation for insecure software.

The number one threat to any PC right now lies in Java. There are huge lists of vulnerabilities and exploits released by security analysts on a near weekly basis. These items sometimes go unpatched and exploited for months before a patch is released, and non-savvy users may not even keep their Java up to date, exposing them to more vulerabilities, longer.

The most recent Java vulnerabilities that are currently in the wild are:

CVE-2012-5083 - allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (confirmed at the National Vulnerability Database)

CVE-2012-5076 - allows remote attackers to affect confidentiality, integrity, and availability, related to JAX-WS. (confirmed at the National Vulnerability Database) 

CVE-2012-5080 - allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. (confirmed at the National Vulnerability Database)

CVE-2012-5069 - allows remote attackers to affect confidentiality and integrity via unknown vectors related to Concurrency. (confirmed at the National Vulnerability Database)

CVE-2012-5072 - allows remote attackers to affect confidentiality via unknown vectors related to Security. (confirmed at the National Vulnerability Database)

CVE-2012-1531 - allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (confirmed at the National Vulnerability Database)

CVE-2012-3143 - allows remote attackers to affect confidentiality, integrity, and availability, related to JMX. (confirmed at the National Vulnerability Database)

CVE-2012-3159 - allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (confirmed at the National Vulnerability Database)

CVE-2012-5067 - allows remote attackers to affect confidentiality via unknown vectors related to Deployment. (confirmed at the National Vulnerability Database)

CVE-2012-5081 - allows remote attackers to affect availability, related to JSSE. (confirmed at the National Vulnerability Database)

CVE-2012-5086 - allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans. (confirmed at the National Vulnerability Database)

CVE-2012-5088 - allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. (confirmed at the National Vulnerability Database)

CVE-2012-5068 - allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. (confirmed at the National Vulnerability Database)

CVE-2012-5070 - allows remote attackers to affect confidentiality, related to JMX. (confirmed at the National Vulnerability Database)

CVE-2012-5082 - allows remote attackers to affect availability via unknown vectors. (confirmed at the National Vulnerability Database)

CVE-2012-5087 - allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans. (confirmed at the National Vulnerability Database)

CVE-2012-5078 - allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. (confirmed at the National Vulnerability Database)

CVE-2012-4416 - allows remote attackers to affect confidentiality and integrity via unknown vectors related to Hotspot. (confirmed at the National Vulnerability Database)

CVE-2012-5075 - allows remote attackers to affect confidentiality, related to JMX. (confirmed at the National Vulnerability Database)

CVE-2012-3216 - allows remote attackers to affect confidentiality via unknown vectors related to Libraries. (confirmed at the National Vulnerability Database)

CVE-2012-1533 - allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (confirmed at the National Vulnerability Database)

CVE-2012-5089 - allows remote attackers to affect confidentiality, integrity, and availability, related to JMX. (confirmed at the National Vulnerability Database)

CVE-2012-5074 - allows remote attackers to affect confidentiality and integrity, related to JAX-WS. (confirmed at the National Vulnerability Database)

CVE-2012-5073 - allows remote attackers to affect integrity via unknown vectors related to Libraries. (confirmed at the National Vulnerability Database)

CVE-2012-5077 - allows remote attackers to affect confidentiality via unknown vectors related to Security. (confirmed at the National Vulnerability Database)

CVE-2012-1532 - allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (confirmed at the National Vulnerability Database)

CVE-2012-5084 - allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Swing. (confirmed at the National Vulnerability Database)

These vulnerabilities were taken directly from the National Vulnerability Database.

CVE-2013-1491 - Oracle Java 7 Update 17, and possibly other versions, allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by Joshua Drake during a Pwn2Own competition at CanSecWest 2013.

CVE-2013-1488 - Oracle Java 7 Update 17, and possibly other versions, allows remote attackers to execute arbitrary code via unspecified vectors involving reflection, as demonstrated by James Forshaw during a Pwn2Own competition at CanSecWest 2013.

CVE-2013-0402 - Heap-based buffer overflow in Oracle Java 7 Update 17, and possibly other versions, allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013.

CVE-2013-0401 - Oracle Java 7 Update 17, and possibly other versions, allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013.

CVE-2013-1493 - The color management (CMM) functionality in the 2D component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0 Update 40 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (crash) via an image with crafted raster parameters, which triggers (1) an out-of-bounds read or (2) memory corruption in the JVM, as exploited in the wild in February 2013.

CVE-2013-0809 - Unspecified vulnerability in the 2D component in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0 Update 40 and earlier allows remote attackers to execute arbitrary code via unknown vectors, a different vulnerability than CVE-2013-1493.

CVE-2013-0773 - The Chrome Object Wrapper (COW) and System Only Wrapper (SOW) implementations in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 do not prevent modifications to a prototype, which allows remote attackers to obtain sensitive information from chrome objects or possibly execute arbitrary JavaScript code with chrome privileges via a crafted web site.

CVE-2013-1482 - Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than other CVEs listed in the February 2013 CPU.

CVE-2013-1481 - Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound.

CVE-2013-1480 - Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "insufficient validation of raster parameters" in awt_parseImage.c, which triggers memory corruption.

CVE-2013-1478 - Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "insufficient validation of raster parameters" that can trigger an integer overflow and memory corruption.

That is 38 critical vulnerabilities in the 6 months. Many of these vulnerabilities are still wide-open on the most current version of Java.

How do you defend from this kind of wide vulnerability?

 1) This one is obvious. Don't use Java. This isn't always easy as Java has very widespread usage all over the internet and elsewhere.

 2) Configure your browser to not use Java. This is a great option if you have Java apps on your computer but don't want exposure to Java attacks from malicious websites.

    How to disable in:  -Chrome-  -Internet Explorer-  -Firefox-  -Safari-  -Opera- 

    Look toward the bottom of the page for instructions to disable it in your browser and not uninstall Java entirely.

 3) Stay up to date. This one is crucial. This long list is from the last 6 months. If you have not updated Java in a year or longer... Take this list and double or triple it.

 4) Use "noscript" plugins for your browser. These prevent a lot of scripts from malicious sites from executing, even if Java is enabled. It is also effective for Adobe Flash vulnerabilities, of which there are many.

Noscript for Firefox     "Notscript" for Chrome can be found in the Chrome Web Store

< last
next >