January 2013 Java Zero Day
On Friday, January 11th, a new vulnerability was announced in the Oracle Java Software used by many workstations. This vulnerability can affect end user systems when browsing to malicious websites. The malicious sites can exploit this vulnerability to install malware that could be used to steal an individual’s identity. Oracle has released an update for this vulnerability.
This vulnerability only affects Java Software Version 7. Users running Java Software Version 6 are not required to update at this time. University IT and ISD will be pushing Java Version 7 Update 11 to all managed vulnerable systems to resolve this vulnerability. The majority of Medical Center systems are not affected by this vulnerability. For systems that are not managed, a manual update to the Java software is strongly recommended. Instructions on how to check the version of Java you are running and how to update if necessary can be located below:
Additional Information on this update can be found at the Oracle website by searching for the CVE number in the description below.
For Questions on this notice please contact your respective IT helpdesk. Oracle Security Alert for CVE-2013-0422
This Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability) and another vulnerability affecting Java running in web browsers. These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software. The fixes in this Alert include a change to the default Java Security Level setting from "Medium" to "High". With the "High" setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run. These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2013-0422 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.