Home > Documents > Security Alerts > 2012 > Attacks on Java SE vulnerabilities in June 2012

Attacks on Java SE vulnerabilities in June 2012 

                                                   JPCERT-AT-2012-0021
                                                             JPCERT/CC
                                                            2012-06-29

                  <<< JPCERT/CC Alert 29.06.12 >>>

           Attacks on Java SE vulnerabilities in June 2012

        https://www.jpcert.or.jp/english/at/2012/at120021.html


I. Overview

  JPCERT/CC has confirmed attacks targeting a known vulnerability in
Oracle Java SE JDK and JRE. A remote attacker may execute arbitrary
code on systems using Java SE JDK and JRE versions older than the June
13, 2012, release. For more information, refer to Oracle website.

    Oracle Java SE Critical Patch Update Advisory - June 2012
    http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html

  JPCERT/CC received reports that standard websites are altered,
redirecting users who access the site to an attack site, where malware
infection is possible.

  JPCERT/CC has also confirmed an attack function exploiting this
vulnerability has been found in some of the exploit kits. Attack
activity targeting this vulnerability may increase in the future, so
we recommend updating to the corrected software provided by Oracle.


II. Products affected

  JDK and JRE 7 Update 4 and earlier
  JDK and JRE 6 Update 32 and earlier


III. Test results from JPCERT/CC

  JPCERT/CC has verified the attack code exploiting this vulnerability
found in the attack site.

    [Test environment]
    OS: Windows XP SP3 
    Browser: IE 8.0.6001.18702

  - Test results with JRE 6 Update 32 / JRE 7 Update 4
    JPCERT/CC has confirmed that under the above test environment with
    JRE 6 update 32 / JRE 7 Update 4 installed, when executing the
    attack code, users are directed to the external site.

  - Test results with JRE 6 Update 33 / JRE 7 Update 5
    JPCERT/CC has confirmed that under the above test environment with
    JRE 6 update 33 / JRE 7 Update 5 installed, when executing the
    attack code, users are not directed to the external site.


IV. Solution

  Oracle has released a corrected version of the software. Update to
the corrected version of the software.

    - Java SE JDK and JRE 7 Update 5 
    - Java SE JDK and JRE 6 Update 33

    Java Downloads for All Operating Systems:
    http://java.com/ja/download/manual.jsp?locale=ja

  * Oracle has announced that support for Java SE 6 will end in
    November 2012. Consider switching to Java SE 7, taking into
    account the solution to your application.

    Oracle Technology Network
    Java SE EOL Policy: Java SE 6 End of Life (EOL) Notice
    http://www.oracle.com/technetwork/java/eol-135779.html#Interfaces

    Oracle
    Moving to Java 7 as default
    https://blogs.oracle.com/henrik/entry/moving_to_java_7_as


V. References

    Oracle
    Oracle Java SE Critical Patch Update Advisory - June 2012
    http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html

    June 2012 Critical Patch Update for Java SE Released
    https://blogs.oracle.com/security/entry/june_2012_critical_patch_update

    Text Form of Oracle Java SE Critical Patch Update - June 2012 Risk Matrices
    http://www.oracle.com/technetwork/topics/security/javacpujun2012verbose-1515971.html


  If you have any information regarding this alert, please contact
JPCERT/CC.

======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600  FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top