New security hole found in multiple Java versions

The same team of Polish researchers who discovered a critical security hole in Oracle’s Java software say that they uncovered another such hole, which could be used to bypass Java’s secure application “sandbox” – this time on many more versions of Java.

Adam GowdiakResearchers at Security Explorations, based in Poland, discovered the flaw in Oracle’s Java Standard Edition (SE) and developed a proof of concept exploit for it which permits “complete Java security sandbox bypass,” according to the company’s CEO, Adam Gowdiak.

Writing in an email response to questions from Naked Security, Gowdiak said that he couldn’t discuss details of the vulnerability, beyond saying that the flaw:

“allows to violate a fundamental security constraint of a Java Virtual Machine (type safety).”

An attacker with knowledge of the security hole and how to exploit it could host an attack on a specially crafted website or banner advertisement, using a malicious Java application to trigger the hole and gain control over the vulnerable system, Gowdiak explained:

“Upon convincing the user to visit such a website, typically by getting them to click a link in an email or in an Instant Messenger message, malicious web content could be delivered to affected systems,”

Gowdiak said that the vulnerability was rated “critical” by his team.

“We were able to successfully exploit it and achieve a complete Java security sandbox bypass,”

Security Explorations made headlines in August when they claimed responsibility for discovering critical, exploitable vulnerabilities in Java 7.

The company responsibly disclosed those holes to Oracle in early April, 2012. However, Oracle did not rush to fix them. By August, two of those vulnerabilities were re-discovered independently and publicly disclosed, leading to a wave of online attacks linked to malware.

Security Explorations again made news when it revealed that Oracle’s rushed patch for the Java holes was easily bypassed.

Coffee cup, courtesy of ShutterstockThe latest hole is more serious because it affects more versions of the Java SE software. According to Gowdiak, the exploit worked with Java SE versions 5, 6 and 7, including the latest version of Java: SE 7 update 7 running on a fully patched Windows 7 32-bit OS.

Roughly a billion devices globally run one of those versions of the Java software, according to Oracle.

Security Explorations successfully tested its exploit against Internet Explorer and the Firefox, Chrome, Opera and Safari Web browsers, Gowdiak said.

The latest vulnerability, labeled “Issue 50,” was disclosed to Oracle on Tuesday and the company has not yet responded to it.

Security holes in common software components like Java are highly prized by hackers and cyber criminal groups, as they can be used against a great variety of platforms and because the vulnerability has a high likelihood of being present on a target system.

In the case of the previous Java holes, malicious actors quickly added exploits for them to the popular Blackhole exploit kit and used them in web- and email based phishing attacks.

Coffee cup, courtesy of Shutterstock.