El Departamento de Homeland Security de EE.UU. viene (junto con el resto de las empresas de seguridad) informando sobre problemas con Java 7.
Pueden ver el reporte completo en: http://www.us-cert.gov/cas/techalerts/TA13-010A.html
Al margen que salió el Update 11 que en “teoría” soluciona el problema ya que además “….Java 7 Update 11 sets the default Java security settings to “High” so that users will be prompted before running unsigned or self-signed Java applets…”
No está del todo claro que realmente todavía esté solucionado, muchos investigadores dicen que el problema continúa.
ver: http://www.kb.cert.org/vuls/id/625617 las partes más relevantes de ese artículo las detallamos a continuación, donde se especifica que se deshabilite el Java content de los navegadoresa menos que sea estrictamente necesario.
Adicionalmente: http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html citado por CERT informa que en realidad el parche solucionó uno de los dos bugs existentes.
Solution
Update to Java 7u11
Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe, but distinct vulnerability (CVE-2012-3174). Immunity has indicated that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains. Java 7u11 sets the default Java security settings to “High” so that users will be prompted before running unsigned or self-signed Java applets. Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future. |
Disable Java in web browsers
Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details. Restrict access to Java applets Network administrators unable to disable Java in web browsers may be able to help mitigate this and other Java vulnerabilities by restricting access to Java applets. This may be accomplished by using proxy server rules, for example. Blocking or whitelisting web requests to .jar and .class files can help to prevent Java from being used by untrusted sources. Filtering requests that contain a Java User-Agent header may also be effective. For example, this technique can be used in environments where Java is required on the local intranet. The proxy can be configured to allow Java requests locally, but block them when the destination is a site on the internet. Más información en: http://www.itworld.com/node/336247; http://www.ibtimes.com/oracle-releases-java-security-fix-homeland-security-not-pleased-1016136 |
Deja un comentario