The same team of Polish researchers who discovered a critical security hole in Oracle’s Java software say that they uncovered another such hole, which could be used to bypass Java’s secure application “sandbox” – this time on many more versions of Java.
Researchers at Security Explorations, based in Poland, discovered the flaw in Oracle’s Java Standard Edition (SE) and developed a proof of concept exploit for it which permits “complete Java security sandbox bypass,” according to the company’s CEO, Adam Gowdiak.
Writing in an email response to questions from Naked Security, Gowdiak said that he couldn’t discuss details of the vulnerability, beyond saying that the flaw:
“allows to violate a fundamental security constraint of a Java Virtual Machine (type safety).”
An attacker with knowledge of the security hole and how to exploit it could host an attack on a specially crafted website or banner advertisement, using a malicious Java application to trigger the hole and gain control over the vulnerable system, Gowdiak explained:
“Upon convincing the user to visit such a website, typically by getting them to click a link in an email or in an Instant Messenger message, malicious web content could be delivered to affected systems,”
Gowdiak said that the vulnerability was rated “critical” by his team.
“We were able to successfully exploit it and achieve a complete Java security sandbox bypass,”
Security Explorations made headlines in August when they claimed responsibility for discovering critical, exploitable vulnerabilities in Java 7.
The company responsibly disclosed those holes to Oracle in early April, 2012. However, Oracle did not rush to fix them. By August, two of those vulnerabilities were re-discovered independently and publicly disclosed, leading to a wave of online attacks linked to malware.
Security Explorations again made news when it revealed that Oracle’s rushed patch for the Java holes was easily bypassed.
The latest hole is more serious because it affects more versions of the Java SE software. According to Gowdiak, the exploit worked with Java SE versions 5, 6 and 7, including the latest version of Java: SE 7 update 7 running on a fully patched Windows 7 32-bit OS.
Roughly a billion devices globally run one of those versions of the Java software, according to Oracle.
Security Explorations successfully tested its exploit against Internet Explorer and the Firefox, Chrome, Opera and Safari Web browsers, Gowdiak said.
The latest vulnerability, labeled “Issue 50,” was disclosed to Oracle on Tuesday and the company has not yet responded to it.
Security holes in common software components like Java are highly prized by hackers and cyber criminal groups, as they can be used against a great variety of platforms and because the vulnerability has a high likelihood of being present on a target system.
In the case of the previous Java holes, malicious actors quickly added exploits for them to the popular Blackhole exploit kit and used them in web- and email based phishing attacks.
Coffee cup, courtesy of Shutterstock.
8 comments on “New security hole found in multiple Java versions”
oracle is being irresponsible in their lack of expediency in releasing patches.
I recently removed the Java Runtime Environment & the Java 6 update 32 from my computer.So far I haven't seen any problems with that removal,however I haven't been on Facebook yet to see if that site will have any problems with the removal.
Oracle gets a big fat “F” in their handling of Java. This latest zero day vulnerability is once such example. I completely removed Java from my Mac. On my Bootcamp partition, I have Windows 7 Ultimate installed. I didn’t install Java, so it’s safe. I’m never going to install Java ever again. It’s time to give Java the boot, because of the vulnerabilities that were discovered. If you have Java installed on your system, REMOVE IT IMMEDIATELY!!
I removed all traces of Java several weeks ago & no problems at all, with any program I use.
The only site I've had any trouble using, was the Online Scanner at Secunia, it requires Java. A bit strange considering the company is security related.
I'll stick with the PSI Scanner.
Home: I'm safe.
But as far as folks in the workplace, we're working at a fever pitch to make sure the desktops are current and hopefully there is patch coming. The Web applications some places use need Java and therefore are stuck hoping.
Good'ay. has anyone heard if the latest version to date, v7 u9, has this vulnerability covered?
Apparently the vulnerability discussed here is not fixed in 7u9.
Since we have no idea about the vulnerability except for Gowdiak's statement that it allows Java type safety to be violated, we can't say whether Oracle has been slow in not patching it, or whether it deserved more time than three weeks to fix it safely.
Gowdiak himself, in an interview with Computerworld back in September, said, "There are still 3 weeks till the scheduled Java Oct CPU, so it might be possible that the bug will be addressed by the company on 16 Oct 2012."
So he seems to concede that it probably would take longer than three weeks, and, apparently, it has.
Presumably that means that it'll be fixed next February. (Java is updated every four months, not quarterly. Don't ask me why.) Oracle does have a Security Alert process for so-called "out of band" patches if a known vulnerability turns up in the wild. Let's hope it doesn't come to that.
Looks like a scam to me. Have you noticed nobody seems to know or can't talk about any of the details to this "security hole". I think I will keep my java.