dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer

Search Topic:
uniqs
14
share rss forum feed


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
reply to redwolfe_98

Re: Warning: 0-Day vulnerability in Java 7

I run it on win7 with chrome...and I doubt they can whacked it in XP on chrome sandbox no matter what is claimed they can do.

News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andre’ M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below.

Initial reports indicated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).

»krebsonsecurity.com/tag/cve-2012 ··· 12-4681/

CNET noted earlier today that most Mac users are not currently susceptible to the issue, as Java 7 is not installed by default on Macs. The current version of Java installed on Mac remains Java 6 for the time being, so users would have to have manually updated to Java 7 in order for their systems to be vulnerable.

--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Reimer

join:2006-08-14
Toronto, ON
Chromes sandbox doesn't protect against plugins though. Except, of course, for its built-in PDF and flash.

However, Chrome does block java applets by default. The question is whether or how the exploit seems to bypass that.

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

2 edits
reply to Name Game
said by Name Game:

I doubt they can whacked it in XP on chrome sandbox no matter what is claimed they can do

this vulnerability seems different from what is normally seem..

thinking about it, from what i read, the vulnerability functions in a way that is similar to what was done when "chrome" was "pwned" by "vupen", not too long ago, where they were able to run code in a place where it wasn't suppose to be able to run..

from what i read about the vulnerability, i got the impression that someone just overlooked something, in the coding, making "java" vulnerable to being exploited..

in the past, google has been pretty quick to respond to problems with chrome.. (incidentally, it seems like there have been a whole hell of a lot of patches for chrome, lately).. if google is serious about having a secure browser, i think they should promptly "kick out" a java-free version of chrome.. or, using their "cloud" remote-control, nuke "java", instead..one or the other, if they are serious about having a secure browser..