-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2013-0012

Title: UPDATED - Oracle Java 0-day Vulnerability Exploited in the Wild [1-4]

Version history:
11.01.2013 Initial publication
15.01.2013 Patch available - marked with "NEW!"

Summary
=======
This Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability) and another vulnerability possibly related to "permissions of certain Java classes," as exploited in the wild in January 2013, and as demonstrated by Blackhole and Nuclear Pack, affecting Java running in web browsers. 

CVE-2013-0422
CVSS v2 Base Score: 10.0 (CRITICAL) (AV:N/AC:L/Au:N/C:C/I:C/A:C) [5]

NEW! Oracle has released update 11 for Java 7. 

Vulnerable systems
==================
Any system using Oracle Java 7 (1.7, 1.7.0) including:

- - - Java Platform Standard Edition 7 (Java SE 7)
- - - Java SE Development Kit (JDK 7)
- - - Java SE Runtime Environment (JRE 7)

All versions of Java 7 through update 10 are affected.  
Web browsers using the Java 7 plug-in are at high risk.

Original Details
================
This Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability) and another vulnerability possibly related to "permissions of certain Java classes," as exploited in the wild in January 2013, and as demonstrated by Blackhole and Nuclear Pack, affecting Java running in web browsers. 

NEW! These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.
NEW! Oracle refers that these vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software.

What can you do?
================
NEW! Oracle has released update 11 for Java 7 [8]. Oracle Security Alert CVE-2013-0422 [7] states that Java 7 Update 11 addresses this (CVE-2013-0422)[7] and a different but equally severe vulnerability (CVE-2012-3174).
The fixes in this Alert include a change to the default Java Security Level setting from "Medium" to "High". With the "High" setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run.


It is recommended to disable Java in browsers [6] or entirely uninstall Java until the patches are available. 

In case Java is absolutely necessary, it is recommended to whitelist only the sites that need to be accessed. Keep the whitelist as short as possible, as the attacks are also intitiated through in-page ads, etc. on legitimate sites. 

NEW! Because lately we have seen a number of 0-DAY vulnerabilities in Java we recommend to use two different browsers. One to browse the internet with Java disabled and another one with the plug-in enabled to browse internal web sites or whitelisted websites.

What to tell your users?
========================
NEW! We recommend to use two different browsers. One to browse the internet with Java disabled and another one with the plug-in enabled to browse internal web sites or whitelisted websites.

Normal security best practices apply. Especially, inform your Web users to be cautious about attachments and following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution.

More information
================
[1] http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html
[2] http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
[3] http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
[4] http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html 
[5] Information about CVSS: http://www.first.org/cvss/cvss-guide.html
[6] http://www.kb.cert.org/vuls/id/625617
[7] http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
[8] http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html
[9]Microsoft Windows: http://www.java.com/nl/download/help/uninstall_java.xml
[10]Linux: http://www.java.com/nl/download/help/linux_uninstall.xml
[11]Mac: http://support.apple.com/kb/HT5549


Best regards,

CERT-EU Pre-configuration Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJQ9q9DAAoJEPpzpNLI8SVoTtYQAJ3YeW8kkxE/H9dg2VcFhqtM
2YE+3Kp5c1YPEnWNE/8f7cYcBy6cmlkoQ7P+ey6x0gtJv+OfcNfsT88TMu3UWcPw
NYRmoOTgcNNatKhh02OxsOrgulhZzUzjTT72YTVlNfRgVoUvIVPxIWwEmg5sck8/
XWClHIuCL9/OEv36y/01+VkqLX0BVjdyeFGwzEptEpSl3uiA8FQIa4a5LnXKrXHa
GhZFck4ypPCZFvdCsvCntSgMh4miZRbeTslSEGoJ8hVxP/23HDS5nBVKn+qN7Zx6
iWJBpd1TwW4DNehLEDNpCVTCBozz8BH7P/TWr2OqeCmcWQOJTN/y4YYu7fDeelGx
OZY9bdVuJtI8zeWS78TLapk7qLXEidm66FIitZpQaniCrmmZeRrimsT0AkG0I5Q/
MAYkanL7pUsxcMw/tT178eBCgoG19NQ5wtYfdhtJ5tRDvowOzUuPxvMvaS1apSyY
WOQVKuhcmePcuSlxQ4pa+hSbXD96k1+a1lJG1nyPcQ5T93fhdadpPjJSessM0jmE
HT6PBDSgJifZIXVWyNx800A6ehPkNvvoTX/9w9NdiIHmIUBJTpGzCf6iUGX4zENe
z0KqugAjZfq5P+4MxgeeoDFLuvNwYLfypGix57+HI2PertOljyKtSr11WJS637+W
/7xp9P0pEnIFZT1HHoED
=6cUW
-----END PGP SIGNATURE-----