JPCERT-AT-2012-0021 JPCERT/CC 2012-06-29 <<< JPCERT/CC Alert 29.06.12 >>> Attacks on Java SE vulnerabilities in June 2012 https://www.jpcert.or.jp/english/at/2012/at120021.html I. Overview JPCERT/CC has confirmed attacks targeting a known vulnerability in Oracle Java SE JDK and JRE. A remote attacker may execute arbitrary code on systems using Java SE JDK and JRE versions older than the June 13, 2012, release. For more information, refer to Oracle website. Oracle Java SE Critical Patch Update Advisory - June 2012 http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html JPCERT/CC received reports that standard websites are altered, redirecting users who access the site to an attack site, where malware infection is possible. JPCERT/CC has also confirmed an attack function exploiting this vulnerability has been found in some of the exploit kits. Attack activity targeting this vulnerability may increase in the future, so we recommend updating to the corrected software provided by Oracle. II. Products affected JDK and JRE 7 Update 4 and earlier JDK and JRE 6 Update 32 and earlier III. Test results from JPCERT/CC JPCERT/CC has verified the attack code exploiting this vulnerability found in the attack site. [Test environment] OS: Windows XP SP3 Browser: IE 8.0.6001.18702 - Test results with JRE 6 Update 32 / JRE 7 Update 4 JPCERT/CC has confirmed that under the above test environment with JRE 6 update 32 / JRE 7 Update 4 installed, when executing the attack code, users are directed to the external site. - Test results with JRE 6 Update 33 / JRE 7 Update 5 JPCERT/CC has confirmed that under the above test environment with JRE 6 update 33 / JRE 7 Update 5 installed, when executing the attack code, users are not directed to the external site. IV. Solution Oracle has released a corrected version of the software. Update to the corrected version of the software. - Java SE JDK and JRE 7 Update 5 - Java SE JDK and JRE 6 Update 33 Java Downloads for All Operating Systems: http://java.com/ja/download/manual.jsp?locale=ja * Oracle has announced that support for Java SE 6 will end in November 2012. Consider switching to Java SE 7, taking into account the solution to your application. Oracle Technology Network Java SE EOL Policy: Java SE 6 End of Life (EOL) Notice http://www.oracle.com/technetwork/java/eol-135779.html#Interfaces Oracle Moving to Java 7 as default https://blogs.oracle.com/henrik/entry/moving_to_java_7_as V. References Oracle Oracle Java SE Critical Patch Update Advisory - June 2012 http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html June 2012 Critical Patch Update for Java SE Released https://blogs.oracle.com/security/entry/june_2012_critical_patch_update Text Form of Oracle Java SE Critical Patch Update - June 2012 Risk Matrices http://www.oracle.com/technetwork/topics/security/javacpujun2012verbose-1515971.html If you have any information regarding this alert, please contact JPCERT/CC. ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/