Overview
Oracle released the June 2013 Critical Patch Update for Oracle Java SE. This patch contains 40 new security fixes across Java SE products and a fix to the Javadoc Tool. API documentation in HTML format generated by the Javadoc tool that contains a right frame may be vulnerable to frame injection when hosted on a web server.
Description
Oracle's June Critical Patch Update includes a fix to the Javadoc Tool. API documentation in HTML format generated by the Javadoc tool that contains a right frame may be vulnerable to frame injection when hosted on a web server. Additional information can be found in CERT Vulnerability Report VU#225657. It is recommended that sites hosting such pages should re-generate the API documentation using the latest Javadoc tool and replace the current pages with the re-generated Javadoc output. In cases where regenerating API documentation is not feasible, a Java API Documentation Updater Tool that updates API documentation "in place" is available Oracle's Java SE Downloads page.
Impact
An attacker can cause one of the frames within a Javadoc-generated web page to be replaced with a malicious page. This vulnerability could be used for phishing or social engineering, or it could be used for browser exploitation if combined with another browser-related vulnerability.
Solution/ Workarounds
✻ Update the latest version of the Mozilla's Firefox on Windows, Linux and Mac.
References
✻ http://www.us-cert.gov/ncas/alerts/TA13-169A
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.