Java Reflection API Vulnerability Exploited

No Java component has had a bigger bull’s eye on its back this year than the Java Reflection API. Bug hunters and hackers alike have found a number of zero-days related to the Reflection API, most of which enable the remote execution of code outside the Java sandbox that’s supposed to prevent suc...

CVE-2013-3132

Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 does not properly check the permissions of objects that use reflection, which allows remote attackers to execute arbitrary code via 1 a crafted XAML browser application XBAP or 2 a crafted .NET Framework application, aka...

Design/Logic Flaw

Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 does not properly check the permissions of objects that use reflection, which allows remote attackers to execute arbitrary code via 1 a crafted XAML browser application XBAP or 2 a crafted .NET Framework application, aka "Anonymous Method...

Authorization

Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 does not properly check the permissions of objects that use reflection, which allows remote attackers to execute arbitrary code via 1 a crafted XAML browser application XBAP or 2 a crafted .NET Framework application, aka...

CVE-2013-3132

The CVE-2013-3132 issue affects Microsoft .NET Framework versions 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, and 4.5. It stems from improper permission checks for objects that use reflection, allowing remote code execution when a user opens a crafted XBAP or a crafted .NET Framework application. T...

CVE-2013-3133

Microsoft .NET Framework CVE-2013-3133 affects multiple runtimes (2.0 SP2, 3.5, 3.5.1, 4, 4.5). The root cause is improper permission checks on objects that use reflection, enabling remote code execution via a crafted XBAP or a crafted .NET Framework application (anonymous method injection). Conn...

CVE-2013-3132

Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 does not properly check the permissions of objects that use reflection, which allows remote attackers to execute arbitrary code via 1 a crafted XAML browser application XBAP or 2 a crafted .NET Framework application, aka...

CVE-2013-3133

Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 does not properly check the permissions of objects that use reflection, which allows remote attackers to execute arbitrary code via 1 a crafted XAML browser application XBAP or 2 a crafted .NET Framework application, aka "Anonymous Method...

MS13-052: Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution (2861561)

The version of the .NET Framework installed on the remote host is reportedly affected by the following vulnerabilities : - A vulnerability exists in the way that affected components handle specially crafted TrueType font files that could lead to remote code execution. An attacker could leverage...

Microsoft .NET Framework Multiple Vulnerabilities (2861561)

This host is missing an important security update according to Microsoft Bulletin MS13-052. SPDX-FileCopyrightText: 2013 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only...

Oracle's Java Security Plans Don't Address Sandbox Flaws

For all of Oracle’s bluster last Thursday about Java security enhancements, next to nothing was said about the real issue behind months of misery this year: the Java sandbox. Oracle broke its radio silence late last week with an out-of-the-blue blogpost full of promises about getting Java right...

Massive 167Gbps DDoS attacks against Banking and Financial Institutions

DDoS attackers attempted to bring down an Banking services earlier this week using one of the largest Distributed denial of service attack using DNS reflection technique. Prolexic, the global leader in Distributed Denial of Service DDoS protection services, announced that it has successfully...

Massive 167Gbps DDoS attacks against Banking and Financial Institutions

DDoS attackers attempted to bring down an Banking services earlier this week using one of the largest Distributed denial of service attack using DNS reflection technique. Prolexic, the global leader in Distributed Denial of Service DDoS protection services, announced that it has successfully...

FBI sponsored Ragebooter DDoS attack service

A website that can be described as "DDoS for hire" is perfectly legitimate, according to the owner. Malicious sites that offer attack services are not strangers on the Internet, but web sites sponsored by law enforcement is another story altogether. Ragebooter, is one of many sites that accepts...

FBI sponsored Ragebooter DDoS attack service

A website that can be described as "DDoS for hire" is perfectly legitimate, according to the owner. Malicious sites that offer attack services are not strangers on the Internet, but web sites sponsored by law enforcement is another story altogether. Ragebooter, is one of many sites that accepts...

[SE-2012-01] Yet another Reflection API flaw affecting Oracle's Java SE

Hello All, Today, a vulnerability report with an accompanying Proof of Concept code was sent to Oracle notifying the company of a new security weakness affecting Java SE 7 software. The new flaw was verified to affect all versions of Java SE 7 including the recently released 1.7.021-b11. It can b...

[SE-2012-01] New security vulnerabilities and broken fixes in IBM Java

Hello All, Security Explorations discovered 7 additional security issues 62-68 in the latest version of IBM SDK, Java Technology Edition software 1. A majority of the new flaws are due to insecure use or implementation of Java Reflection API. Additionally to the above, we found out that four issu...

Java Applet Reflection Type Confusion Remote Code Execution (CVE-2013-2423)

An unknown vulnerability has been reported in Java Runtime Environment. The vulnerability is due to unknown vectors related to HotSpot. A remote attacker can exploit this issue by enticing a target user to view a specially crafted web page...

Java 1.7.0_21-b11 Code Execution

No description provided by source. The new flaw was verified to affect all versions of Java SE 7 including the recently released 1.7.021-b11. It can be used to achieve a complete Java security sandbox bypass on a target system. Successful exploitation in a web browser scenario requires proper use...

Oracle Java Runtime Environment 'Reflection API'任意代码执行漏洞

Oracle Java Runtime Environment是一款为JAVA应用程序提供可靠的运行环境的解决方案。 Oracle Java SE 7包括最近发布的1.7.021-b11存在一个安全漏洞，允许远程攻击者利用漏洞绕过Java安全沙盒，并以WEB浏览器上下文执行任意代码。 要成功利用此漏洞需要用户有一定的交互，如在显示安全警告窗口时需要用户接受执行潜在恶意Java应用的风险。 根据研究者声称，此漏洞还影响Server JRE 7。 0 Oracle Java SE 7及之前版本 厂商解决方案 目前没有详细解决方案提供： http://www.oracle.com...