lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4FD88ABC.20501@security-explorations.com>
Date: Wed, 13 Jun 2012 14:42:36 +0200
From: Security Explorations <contact@...urity-explorations.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [SE-2012-01] Regarding Oracle's Critical Patch Update for Java SE


Dear All,

Yesterday, Oracle released its Critical Patch Update for Java SE
software [1], which incorporates fixes for 3 of more than 20+
security issues that were reported to the company in Apr 2012 [2].

We would like to inform, that while some of the Proof of Concept
codes we developed for the aforementioned issues do not work anymore,
there are still many of them that haven't been addressed yet and that
can be successfully exploited to achieve a complete security sandbox
bypass in the environment of affected Java software.

For those willing to acquire a little bit more information about
the security issues found, we have added new FAQ and PoC pages to
our website:

http://www.security-explorations.com/en/SE-2012-01-faq.html
http://www.security-explorations.com/en/SE-2012-01-poc.html

Full technical details of discovered vulnerabilities and attacks
will be published at some later time.

At the end, we would like to take the opportunity and to kindly ask
Apple security people to take the time and respond to our email
inquiries. We can imagine that a full Java sandbox compromise on
Windows OS caused by a combination of Java SE and Apple Quicktime
issues [3] might not be of a high priority thing for the company.
But, it's probably better to actually take the notice, especially
if the company fails to develop a fix for same security issue a
fourth time in a row.

Thank you.

Best Regards
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] Oracle Java SE Critical Patch Update Advisory - June 2012
 
http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html
[2] SE-2012-01 Security vulnerabilities in Java SE
     http://www.security-explorations.com/en/SE-2012-01.html
[3] Security weakness in Apple Quicktime Java extensions
     http://seclists.org/bugtraq/2012/Apr/83

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ