Home » Security Alert

Security Alert

  • April 17, 2013 - Oracle has released multiple updates for Java SE

    Oracle released a critical patch update for Java SE on 17 April 2013.  A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.  Oracle strongly recommends that customers apply the fixes as soon as possible.

     

    Systems Affected

    ================

     * JDK and JRE 7 Update 17 and earlier

     * JDK and JRE 6 Update 43 and earlier

     * JDK and JRE 5.0 Update 41 and earlier

     * JavaFX 2.2.7 and earlier

     

    Apply Updates

    =============

    Developers can download the latest release from http://www.oracle.com/technetwork/java/javase/downloads/index.html .

    Users running Java SE with a browser can download the latest release from http://java.com . Users on the Windows and Mac OS   X platforms can also use automatic updates to get the latest release.

    The latest JavaFX release is included with the latest update of JDK and JRE 7.  For JDK and JRE 6 users, the latest Java FX release is available from http://www.oracle.com/technetwork/java/javafx/

     

    For more complete information, please refer to the following links:

    http://www.us-cert.gov/ncas/alerts/TA13-107A

  • March 12, 2013 - Microsoft Updates for Multiple Vulnerabilities

    There are multiple vulnerabilities in Microsoft Windows, Microsoft Internet Explorer, Microsoft Office, Microsoft Server Software and Microsoft Silverlight.  A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.  Microsoft has released updates to address these vulnerabilities.

    For details, please refer to:
    http://www.us-cert.gov/ncas/alerts/TA13-071A

  • March 05, 2013 - Oracle Java Contains Multiple Vulnerabilities

    An arbitrary memory read and write vulnerability in the Java JVM process could allow an attacker to execute arbitrary code. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate website and upload a malicious Java applet (a "drive-by download" attack).

    Any web browser using the Java 5, 6, or 7 plug-in is affected. The Java Deployment Toolkit plug-in and Java Web Start can also be used as attack vectors.

    Reports indicate this vulnerability is being actively exploited, and exploit code is publicly available.

    Further technical details are available in Vulnerability Note VU#688246.

    For details, please refer to:
    http://www.us-cert.gov/ncas/alerts/TA13-064A

  • Feb 20, 2013 - Oracle Java Multiple Vulnerabilities

     

    The Oracle Java SE Critical Patch Update Advisory Update for February 2013 addresses multiple vulnerabilities in the Java Runtime Environment (JRE). An additional five fixes that had been previously planned for delivery are in this update. This distribution therefore completes the content for all originally planned fixes to be included in the Java SE Critical Patch Update for February 2013. 
     
    Both Java applets delivered via web browsers and stand-alone Java applications are affected, however web browsers using the Java plug-in are at particularly high risk.
    The Java plug-in, the Java Deployment Toolkit plug-in, and Java Web Start can be used as attack vectors. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate website and upload a malicious Java applet (a "drive-by download" attack).

    Some vulnerabilities affect stand-alone Java applications, depending on how the Java application functions and how it processes untrusted data.

    Reports indicate that at least one of these vulnerabilities is being actively exploited.

    For details, refer to 
  • Feb 1, 2013 - Oracle Java 7 Multiple Vulnerabilities

    The Oracle Java SE Critical Patch Update Advisory for February 2013 addresses multiple vulnerabilities in the Java Runtime Environment (JRE). Both Java applets delivered via web browsers and stand-alone Java applications are affected, however web browsers using the Java 7 plug-in are at particularly high risk. Java 7 versions below Update 13 are affected.

    The Java 7 plug-in, the Java Deployment Toolkit plug-in, and Java Web Start can be used as attack vectors. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate web site and upload a malicious Java applet (a "drive-by download" attack).

    Some vulnerabilities affect stand-alone Java applications, depending on how the Java application functions and how it processes untrusted data.

    Reports indicate that at least one of these vulnerabilities is being actively exploited.

    For details, please refer to
    http://www.us-cert.gov/cas/techalerts/TA13-032A.html

  • Jan 23, 2013 - Update on Java Zero-day Security Vulnerability

    Further to our important bulk email notice sent on 14 Jan 2013 on the subject, we would like to keep our users updated of the situation while we would continue monitoring the case.

    On 15 January 2013, our Internet firewall vendor has released a "software signature" to detect and guard against the stated Java vulnerability; and this update was applied to HKU's Internet firewall immediately.  Since then, PCs inside our campus network are protected against the known threats that would come from external Internet due to the stated vulnerability.

    According to the latest announcement from CERT, "http://www.kb.cert.org/vuls/id/625617", Java 7 Update 11 should have addressed the vulnerability concerned. If you need to use the following Java-based services of HKU Portal or to gain access to other Java-based websites, you can enable Java in web-browsers after updating to 7u11 using its Java Control Panel.

    - Departmental Inventory system (DIS)
    - Financial Functions for Operational Staff (FFOS)
    - Facilities and Space Management Information / Departmental Rooms Information
    - Long leave application
    - IHP facilities booking system
    - CEDARS facilities (banner sites, rooms) booking system
    - HKUSU rooms booking system

    On the other hand, you need not enable Java in web-browsers if so far your PC has not encountered any problems with Internet access. This will help mitigate other Java vulnerabilities that could occur in the future.

    If you need any assistance, please contact our Service Desk (Room 104, Run Run Shaw Building, Tel: 28592480) or make an email enquiry to ithelp@hku.hk.

    Thank you for your attention.

    Information Security Team
    IT Services

  • Jan 14, 2013 - High Risk Oracle Java Security Vulnerability

    Further to the Security Alert  posted yesterday on the subject, we would like to keep you updated on the situation: 

    (1) Temporary measure to avoid risk due to the Java zero-day vulnerability  

    Due to the high risk of the vulnerability found with Java Version 7 Update 10 (Java v7u10) and earlier versions of Update, users are advised to disable Java for all web-browsers until a solution/patch is available to fix the problem. The procedures for disabling this Java version for the different computer platforms are documented in the java website: www.java.com/en/download/help/disable_browser.xml

    Our colleagues have been communicating with members of the Departmental Information Security Coordination Group in advising the mitigation in departments. 

    (2) Implications to HKU central IT Services: 

    We have done a review of the IT services supported by ITS. Most of the generally accessible Central IT Services through HKU Portal would not be affected and continue to work properly when the Java setting for web-browsers is disabled, except the following applications: 

    - Departmental Inventory system (DIS)

    - Financial Functions for Operational Staff (FFOS)

    - Facilities and Space Management Information / Departmental Rooms Information

    - Long leave application

    - IHP facilities booking system

    - CEDARS facilities (banner sites, rooms) booking system

    - HKUSU rooms booking system 

    For the time being, users who require to use the above applications or any other web applications that require Java, can temporary enable Java by selecting the option “Enable Java content in the browser” and turn it off afterwards through the Java Control Panel that is described in the website: www.java.com/en/download/help/disable_browser.xml as stated in (1). 

    (3) Java 7 Update 11 

    Oracle has just released Java 7 Update 11 with vulnerability fixes on 13 January 2013 and advised users to install this update to address the widely publicized security issue. On the other hand, there are reports from security experts that this new update still leaves certain unfixed critical security flaws. We would therefore recommend keeping Java disabled for browsers until we have a clearer picture on the solution. 

    Finally, we would like to remind our users that security intrusion by hackers is happening every day. We should be very vigilant in refraining from accessing unknown websites, say those introduced by unsolicited spam/phishing emails, and always stay alert in upholding the information security measures to enable HKU to stay safe in the Internet connected world. ITS will closely follow up the Java zero-day vulnerability issue and update you for further actions and information.  

    If you have any enquiry, please send email to ithelp@hku.hk

    Thank you for your attention.   

    Reference links:

    Oracle updates Java, security expert says it still has bugs: http://www.reuters.com/article/2013/01/13/us-java-oracle-security-idUSBRE90C0JB20130113

    Oracle Update Release Notes: http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html

     

    Information Security Team
    IT Services 

Pages

Subscribe to Security Alert