JPCERT-AT-2012-0036 JPCERT/CC 2012-11-14 (First Edition) 2012-11-16 (Updated) <<< JPCERT/CC Alert 2012-11-14 >>> Attacks targeting Java SE vulnerabilities disclosed on October 2012 https://www.jpcert.or.jp/english/at/2012/at120036.html I. Overview JPCERT/CC has observed attacks that target known vulnerabilities in Java SE JDK and JRE provided by Oracle. Of the vulnerabilities in Java SE JDK and JRE that were disclosed on October 17, 2012, these attacks are targeting vulnerabilities in Java 7. Therefore, users of Java 7 who are not using the most recent version of Java 7 may be vulnerable to arbitrary code execution by a remote attacker. For more information on the vulnerabilities, refer to the information provided by Oracle. Oracle Oracle Java SE Critical Patch Update Advisory - October 2012 http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html *** Update: Revised on November 16, 2012 ***************************** JPCERT/CC has received incident reports regarding official Japanese websites being altered. Users who access the altered website are redirected to a malicious website and infected with malware that leverage the Java vulnerabilities. *** Update: Revised on November 16, 2012 ***************************** Also it has been confirmed that parts of the attack code have been incorporated into Exploit Kits. Attacks targeting these vulnerabilities may increase. We recommend updating the software to the most recent version provided by Oracle. II. Products Affected JDK and JRE 7 Update 7 and earlier versions III. JPCERT/CC test results JPCERT/CC conducted a test against the attack code that leveraged the vulnerabilities placed in a malicious website. [Testing Environment] OS: Windows 7 SP1 (with October 2012 security updates applied) Web Browser: Internet Explorer 9 - Test Results with JRE 7 Update 7 In the testing environment above with JRE 7 Update 7 installed, arbitrary code execution was confirmed when the proof-of-concept code was executed. Also, it has been verified that JRE 7 Update 9 is not affected. IV. Solution Oracle has released software that addresses the vulnerabilities. Please update to the most recent version of the software. - Java SE JDK and JRE 7 Update 9 Java Downloads for All Operating Systems http://www.java.com/en/download/manual.jsp V. References Oracle Oracle Java SE Critical Patch Update Advisory - October 2012 http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html Oracle Java SE Development Kit 7 Update 9 Release Notes http://www.oracle.com/technetwork/java/javase/7u9-relnotes-1863279.html If you have any information regarding this alert, please contact JPCERT/CC. ________ Revision history 2012-11-14 First edition 2012-11-16 Information added in "I. Overview" ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/