http://www.dslreports.com/forum/Yet-another-Java-security-flaw-discovered-Number-53-27958880 en Sun, 19 May 2013 15:52:53 EDT Sun, 19 May 2013 15:52:53 EDT http://www.dslreports.com/forum/Re-Yet-another-Java-security-flaw-discovered-Number-53-27960589
Same as Yet another Firefox security flaw discovered - Number... who cares.

It's really getting old this play on Java.
--
Chris
Living in Paradise!!]]> http://www.dslreports.com/forum/Re-Yet-another-Java-security-flaw-discovered-Number-53-27960589 Wed, 30 Jan 2013 04:25:34 EDT http://www.dslreports.com/forum/Re-Yet-another-Java-security-flaw-discovered-Number-53-27960572 Quantity is only one vector. And not necessarily the most important. Exploit severity is another and likely more important.
]]> http://www.dslreports.com/forum/Re-Yet-another-Java-security-flaw-discovered-Number-53-27960572 Wed, 30 Jan 2013 03:38:40 EDT http://www.dslreports.com/forum/Re-Yet-another-Java-security-flaw-discovered-Number-53-27960518
According to CVE Details is more than that.

1 JRE SUN 303 (2001-2012) (46 in 2012)
2 JRE Oracle 64 (2010-2013) (58 in 2012, 2 in 2013)

Firefox had 162 in 2012, 27 so far in 2013. »www.cvedetails.com/product/3264/···r_id=452

Chrome had 248 in 2012, 29 so far in 2013. »www.cvedetails.com/product/15031···_id=1224
--
Chris
Living in Paradise!!]]> http://www.dslreports.com/forum/Re-Yet-another-Java-security-flaw-discovered-Number-53-27960518 Wed, 30 Jan 2013 02:19:16 EDT http://www.dslreports.com/forum/Yet-another-Java-security-flaw-discovered-Number-53-27958880 blogs.computerworld.com/malware-···umber-53

»seclists.org/fulldisclosure/2013/Jan/241

"JAVA FLAW NUMBER 53

And that's where things stood until today, when I received an email from Adam Gowdiak pointing me to his latest discovery of, yet another Java bug. Ironically, the bug is with the new security improvements Mr. Smith alluded to.

As is the normal pattern, this new flaw involves running unsigned Java programs embedded in web pages.

Java 7 Update 10 introduced the new security rules for unsigned applets, and Update 11 made the default more secure. But, it turns out that the rules are not rules, they're not even suggestions. Gowdiak referred to them as theories.

He writes

What we found out and what is a subject of a new security vulnerability (Issue 53) is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings ...

Whereas I found that Internet Explorer would ignore the new security rules, Gowdiak's discovery is much broader. We approached things differently. I tested with safe Java applets, he purposely wrote a malicious one.

Via email, Gowdiak wrote that "We found a generic way to bypass the new security settings imposed by Java Control Panel that control the launch of unsigned Java code."

In other words, his malicious unsigned applet can do its dirty work in all browsers. On Windows 7, he tested the latest version of Internet Explorer 9, Firefox 18.0.1, Opera 12.12 and Google Chrome 24.0.1312.56m.

Also, since I was using safe applets, Java had to be tweaked a couple times before the rules were ignored (the end user had to first disable Java in browsers via the Java Control Panel, then later re-enable it). Not so with Gowdiak's malicious applet, which can run without warning on the "Very High" setting, even if Java has not been tweaked and even if the "Very High" setting is blocking other applets.

In the conclusion of his Full Disclosure mailing list posting, Gowdiak wrote

"... recently made security "improvements" to Java SE 7 software don't prevent silent exploits at all. Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit."

Anymore reasons one needs to uninstall if possible and disable otherwise? Atleast Firefox and *shudder* Chrome use Click to Play atleast for those of us who use Java.]]> http://www.dslreports.com/forum/Yet-another-Java-security-flaw-discovered-Number-53-27958880 Tue, 29 Jan 2013 15:27:34 EDT