lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 21 Jan 2013 12:46:30 -0500
From: bytze bytze <gbytze@...il.com>
To: Security Explorations <contact@...urity-explorations.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: [SE-2012-01] Java 7 Update 11 confirmed to be
	vulnerable

U guys are the best....thank u for what u do
On Jan 21, 2013 9:46 AM, "Security Explorations" <
contact@...urity-explorations.com> wrote:

>
> Hello All,
>
> This post might be interesting for those concerned about the
> state of Oracle's Java SE security.
>
> We have successfully confirmed that a complete Java security
> sandbox bypass can be still gained under the recent version
> of Java 7 Update 11 [1] (JRE version 1.7.0_11-b21).
>
> MBeanInstantiator bug (or rather a lack of a fix for it [2][3])
> turned out to be quite inspirational for us. However, instead
> of relying on this particular bug, we have decided to dig our
> own issues. As a result, two new security vulnerabilities (51
> and 52) were spotted in a recent version of Java SE 7 code and
> they were reported to Oracle today [4] (along with a working
> Proof of Concept code).
>
> Thank you.
>
> Best Regards
> Adam Gowdiak
>
> ------------------------------**---------------
> Security Explorations
> http://www.security-**explorations.com<http://www.security-explorations.com>
> "We bring security research to the new level"
> ------------------------------**---------------
>
> References:
> References:
> [1] Oracle Security Alert for CVE-2013-0422
>
> http://www.oracle.com/**technetwork/topics/security/**
> alert-cve-2013-0422-1896849.**html<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html>
> [2] Java 7 Update 11 Addresses the Flaw Partly Fixed in October 2012,
> Experts Say
>
> http://news.softpedia.com/**news/Java-7-Update-11-**
> Addresses-the-Flaw-Partly-**Fixed-in-October-2012-Experts-**
> Say-320792.shtml<http://news.softpedia.com/news/Java-7-Update-11-Addresses-the-Flaw-Partly-Fixed-in-October-2012-Experts-Say-320792.shtml>
> [3] Confirmed: Java only fixed one of the two bugs
>
> http://immunityproducts.**blogspot.com.ar/2013/01/**
> confirmed-java-only-fixed-one-**of-two.html<http://immunityproducts.blogspot.com.ar/2013/01/confirmed-java-only-fixed-one-of-two.html>
> [4] SE-2012-01 Vendors status
>     http://www.security-**explorations.com/en/SE-2012-**01-status.html<http://www.security-explorations.com/en/SE-2012-01-status.html>
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ