Overview
Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
Java 7 Update 10 and earlier Java 7 versions contain an unspecified remote-code-execution vulnerability. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. |
Impact
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. |
Solution
We are currently unaware of a practical solution to this problem. Please consider the following workarounds: |
Disable Java in web browsers Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details. |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Oracle Corporation | Affected | - | 10 Jan 2013 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 9.5 | E:H/RL:W/RC:C |
| Environmental | 9.5 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
- http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
- http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
Credit
Thanks to Kafeine for reporting this vulnerability.
This document was written by Will Dormann.
Other Information
- CVE IDs: Unknown
- Date Public: 10 Jan 2013
- Date First Published: 10 Jan 2013
- Date Last Updated: 10 Jan 2013
- Document Revision: 5
Source link: http://www.kb.cert.org/vuls/id/625617