Security update KB2756920 for Windows 7 and Windows Server 2008 R2

* MS13-004 - Important

 - http://technet.microsoft.com/security/bulletin/MS13-004

 - Reason for Revision: V2.0 (January 22, 2013): Bulletin

   rereleased to reoffer security update KB2756920 for Windows 7

   and Windows Server 2008 R2 to systems that are running in

   specific configurations known to have potential compatibility

   issues. Customers who are reoffered the update should

   reinstall this update. See the update FAQ for more

   information.

 - Originally posted: January 8, 2013

 - Updated: January 22, 2013

 - Bulletin Severity Rating: Important

 - Version: 2.0

Oracle Java 7 Security Manager Bypass Vulnerability

Original release date: January 10, 2013

Last revised: --

Systems Affected

     Any system using Oracle Java 7 (1.7, 1.7.0) including

     * Java Platform Standard Edition 7 (Java SE 7)

     * Java SE Development Kit (JDK 7)

     * Java SE Runtime Environment (JRE 7)

     All versions of Java 7 through update 10 are affected.  Web

     browsers using the Java 7 plug-in are at high risk.

Overview

   A vulnerability in the way Java 7 restricts the permissions of Java

   applets could allow an attacker to execute arbitrary commands on a

   vulnerable system.

Description

   A vulnerability in the Java Security Manager allows a Java applet

   to grant itself permission to execute arbitrary code. An attacker

   could use social engineering techniques to entice a user to visit a

   link to a website hosting a malicious Java applet. An attacker

   could also compromise a legitimate web site and upload a malicious

   Java applet (a "drive-by download" attack).

   Any web browser using the Java 7 plug-in is affected. The Java

   Deployment Toolkit plug-in and Java Web Start can also be used as

   attack vectors.

   Reports indicate this vulnerability is being actively exploited,

   and exploit code is publicly available.

   Further technical details are available in Vulnerability Note

   VU#625617.

Impact

   By convincing a user to load a malicious Java applet or Java

   Network Launching Protocol (JNLP) file, an attacker could execute

   arbitrary code on a vulnerable system with the privileges of the

   Java plug-in process.

Solution

   Disable Java in web browsers

   This and previous Java vulnerabilities have been widely targeted by

   attackers, and new Java vulnerabilities are likely to be

   discovered. To defend against this and future Java vulnerabilities,

   disable Java in web browsers.

   Starting with Java 7 Update 10, it is possible to disable Java

   content in web browsers through the Java control panel applet. From

   Setting the Security Level of the Java Client:

   For installations where the highest level of security is required,

   it is possible to entirely prevent any Java apps (signed or

   unsigned) from running in a browser by de-selecting Enable Java

   content in the browser in the Java Control Panel under the Security

   tab.

   If you are unable to update to Java 7 Update 10 please see the

   solution section of Vulnerability Note VU#636312 for instructions

   on how to disable Java on a per browser basis.

Red Hat Enterprise Linux 5.9 introduced

Customers with a Red Hat Enterprise Linux (RHEL) support contract are now able to download version 5.9 of the company's Linux distribution. The new release updates RHEL 5 to include Microsoft's Hyper V driver, OpenJDK 7 and Samba 3.6. This minor version update of RHEL 5 also marks the completion of the first support phase of the revised Red Hat support life cycle; it has taken five years to get to this point – RHEL 5 was introduced in 2007.

The integrated Hyper V driver is designed to make the Linux distribution work better under Microsoft's hypervisor – for example in clouds with Windows hosts. The drivers that have been developed by Microsoft have been part of the official Linux kernel for some time, but didn't meet the kernel developers' quality requirements up until a few months ago; this was probably the reason why Red Hat previously disregarded these drivers. The developers have also updated the more recent of the two included Samba variants to version 3.6; this version is part of the Samba3x packages and supports the second generation Server Message Block network protocol (SMB2), which is said to produce less overhead during data exchanges and works faster as a result. Red Hat has also updated the SystemTap system diagnostics software to version 1.8, introducing various minor improvements. Further new additions are OpenJDK 7 and version 5 of the rsyslog system logging service. However, both are optional, which means that systems will continue to use OpenJDK 6 and the older version of rsyslog unless users manually switch to the newer versions.
As usual, Red Hat has improved the distribution's support for new processors and has updated a whole range of drivers – including the bfa driver, which supports the Brocade Fibre Channel host adapter and is no longer classified as a technology preview. A new RHEL 5 component is the ib_qib driver that is intended for Qlogic InfiniBand host channel adapters and supersedes the ib_ipath driver, though that driver continues to be usable. Further details of the new features can be found in the product announcement and in the RHEL 5.9 release and technical notes.
                                                                         The RHEL life cycle
                                                                            Source: Red Hat


The completion of the first support phase has marked the beginning of the Production 2 Phase in the life cycle of RHEL 5. In this phase, Red Hat will no longer integrate any major new features such as those introduced in RHEL 5.9. Even driver updates and other new hardware support improvements will only be made if they don't require much effort. Red Hat will, however, continue to issue minor releases and make new installation images available that include all changes made up to that point. This second maintenance phase will end in the first quarter of 2014. After that time, Red Hat will reduce the distribution's maintenance even further in the Production 3 Phase, which will still provide security patches and bug fixes, but no further minor releases or updated drivers.

                                                            Support phases of RHEL 5 and 6
                                                                       Source: Red Hat

The third maintenance phase of RHEL 5 will end in the first quarter of 2017, but customers will be able to purchase three further years of support and extend the overall maintenance period of RHEL 5 to a total of thirteen years. If Red Hat keeps to its current release rhythm, RHEL 9 should already be available when this phase is complete. A first beta of RHEL 7 has been scheduled for the first half of 2013, and version 6.4 is already in beta testing. The fourth minor release of RHEL 6 should become available in a few weeks; in addition, Oracle Linux, CentOS, Scientific Linux and others will probably release their usual free-of-charge RHEL 5.9 clones over the coming weeks.

Microsoft Releases Security Advisory on Fraudulent Digital Certificates

Microsoft has released Security Advisory 2798897 in response to active attacks using fraudulent digital certificates issued by TURKTRUST Inc.

These fraudulent certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This vulnerability affects all supported releases of Microsoft Windows.

This update revokes the trust of the fraudulent certificates and places them in the Microsoft Untrusted Certificate Store.

US-CERT encourages users and administrators to review Microsoft Security Advisory 2798897 and follow best-practice security policies to determine if the update should be applied.