Copyright 2022 - CSIM - Asian Institute of Technology

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: US-CERT Alert TA12-240A - Oracle Java 7 Security Manager Bypass Vulnerability
From: US-CERT Alerts <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Date: Tue, 28 Aug 2012 00:14:00 -0400

Hash: SHA1

National Cyber Awareness System

US-CERT Alert TA12-240A
Oracle Java 7 Security Manager Bypass Vulnerability

Original release date: August 27, 2012
Last revised: --

Systems Affected

     Any system using Oracle Java 7 (1.7, 1.7.0) including:

     * Java Platform Standard Edition 7 (Java SE 7)
     * Java SE Development Kit (JDK 7)
     * Java SE Runtime Environment (JRE 7)

     Web browsers using the Java 7 Plug-in are at high risk.


   A vulnerability in the way Java 7 restricts the permissions of Java
   applets could allow an attacker to execute arbitrary commands on a
   vulnerable system.


   A vulnerability in the Java Security Manager allows a Java applet
   to grant itself permission to execute arbitrary operating system
   commands. An attacker could use social engineering techniques to
   entice a user to visit a link to a web site hosting a malicious

   Any web browser using the Java 7 Plug-in is affected.

   Reports indicate this vulnerability is being actively exploited,
   and exploit code is publicly available.


   By convincing a user to load a malicious Java applet, an attacker
   could execute arbitrary operating system commands on a vulnerable
   system with the privileges of the Java Plug-in process.


   Disable the Java Plug-in

   Disabling the Java web browser plug-in will prevent Java applets
   from from running. Here are instructions for several common web

   * Apple Safari: How to disable the Java web plug-in in Safari

   * Mozilla Firefox: How to turn off Java applets

   * Google Chrome: See the "Disable specific plug-ins" section of the
     Chrome Plug-ins documentation.

   * Microsoft Internet Explorer: Change the value of the
     UseJava2IExplorer registry key to 0. Depending on the versions of
     Windows and the Java plug-in, the key can be found in these

       HKLM\Software\JavaSoft\Java Plug-in\{version}\UseJava2IExplorer

       HKLM\Software\Wow6432Node\JavaSoft\Java Plug-in\{version}\UseJava2IExplorer
   * The Java Control Panel (javacpl.exe) does not reliably configure
     the Java plug-in for Internet Explorer. Instead of editing the
     registry, it is possible to run javacpl.exe as Administrator,
     navigate to the Advanced tab, Default Java for browsers, and use
     the space bar to de-select the Microsoft Internet Explorer option.

   Use NoScript

   NoScript is a browser extension for Mozilla Firefox browsers that
   provides options to block Java applets.


 * Vulnerability Note VU#636312

 * Zero-Day Season is Not Over Yet

 * Let's start the week with a new Java 0-day in Metasploit


 * The Security Manager

 * Java 7 0-Day vulnerability information and mitigation.

 * How to disable the Java web plug-in in Safari

 * How to turn off Java applets

 * NoScript

Revision History

  August 27, 2012: Initial release


   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <This email address is being protected from spambots. You need JavaScript enabled to view it.> with "TA12-240A Feedback VU#636312" in
   the subject.

   Produced by US-CERT, a government organization.

This product is provided subject to this Notification:

Privacy & Use policy:

This document can also be found at

For instructions on subscribing to or unsubscribing from this 
mailing list, visit

Version: GnuPG v1.4.5 (GNU/Linux)


Powered by: MHonArc

Login Form


School of Engineering and technologies     Asian Institute of Technology