Oracle Java 7 JmxMBeanServer Remote Code Execution Vulnerability

Release date:
Updated on: 2013-01-12

Affected Systems:
Oracle Java 7 Update 10
Oracle Java
Description:
--------------------------------------------------------------------------------
Bugtraq id: 57246
Cve id: CVE-2013-0422
 
Oracle Java Runtime Environment (JRE) is a solution that provides a reliable Runtime Environment for JAVA applications.
 
The jmx. mbeanserver. JmxMBeanServer class in Oracle JRE7 has the Sandbox Bypass Vulnerability, which allows remote attackers to bypass java securityManager checks and remotely execute arbitrary java code to control the user system.
 
Currently, the affected environment is known to be the latest version of Oracle JRE7 update 10 and earlier. Oracle Java 6 is not affected.
 

<* Source: Kafeine

Link: http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html
Http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html? M = 1
Http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
Http://secunia.com/advisories/51820/
Http://www.kb.cert.org/vuls/id/625617
Http://www.nsfocus.net/index.php? Act = alert & do = view> aid = 131
*>

Suggestion:
--------------------------------------------------------------------------------
Temporary solution:
 
If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:
 
* Temporarily disable Java in the browser
 
Reference: http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/
 
For Windows users:
 
1) Firefox
 
Tools-> additional components (Ctrl-Shift-A)-> plug-ins, disable all Java words, and restart Firefox.
 
Install NoScript extension, NoScript option-> embedded object-> disable Java
 
2) Chrome
 
Click the wrench in the upper right corner-> Settings-> click "show Advanced Settings"-> privacy settings-> content settings-> plug-ins
-> Disable a single plug-in-> Java-> disable
 
3) IE
 
If you have upgraded to JRE 7 update 10, you can use a new security feature to disable JAVA.
Open Control Panel, search for Java, select "security" in java Control Panel, and then clear "Enable Java
Content in the browser check box.
Http://www.java.com/en/download/help/disable_browser.xml
 
For versions earlier than JRE 7 update 10:
 
Control Panel-> Java-> View-> User-> disable all versions of JRE (Java Runtime Environment)
 
Control Panel-> Java-> View-> system-> disable all versions of JRE (Java Runtime Environment)
 
However, this method is only applicable to XP, 2003, and not to Windows versions such as Vista and Win7.
The enable check box is empty. Use regedit to modify the registry.
 
The registry key value is located:
--------------------------------------------------------------------------
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE \ SOFTWARE \ JavaSoft \ Java Plug-in]
 
[HKEY_LOCAL_MACHINE \ SOFTWARE \ JavaSoft \ Java Plug-in \ <version>]
"UseJava2IExplorer" = dword: 00000001
--------------------------------------------------------------------------
All Java versions have a UseJava2IExplorer. The default value is 1. You can disable Java by changing it to 0.
 

If 32-bit Java is also installed on a 64-bit system, the corresponding registry key value is located:
 
--------------------------------------------------------------------------
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Wow6432Node \ JavaSoft \ Java Plug-in]
 
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Wow6432Node \ JavaSoft \ Java Plug-in \ <version>]
"UseJava2IExplorer" = dword: 00000001
--------------------------------------------------------------------------
 
Vendor patch:
 
Oracle
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://www.oracle.com/technetwork/topics/security/