Yet another unpatched security hole found in Java

Just last week Oracle issued a critical security patch for Java, and strongly advised computer users to update their systems as soon as possible.

If you did update your Java installation, give yourself a pat on the back.

Done that? Good. Because, unfortunately, the celebrations need to be short-lived as a security researcher now claims to have found yet another as-yet-unpatched flaw, which affects all versions of Java SE 7.

Adam GowdiakAdam Gowdiak, of Polish Security Explorations, has made a name for himself in the past discovering numerous Java zero-day vulnerabilities.

In an internet posting, Gowdiak claims to have sent to Oracle a report about a reflection API vulnerability in the newly shipped Server Java Runtime Environment (JRE), notifying them of the new security weakness.

The report filed with Oracle’s security team was accompanied by proof-of-concept code, making it easy for the software vendor to test the exploit for themselves.

[The exploit] can be used to achieve a complete Java security sandbox bypass on a target system. Successful exploitation in a web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed).

What's interesting is that the new issue is present not only in JRE Plugin / JDK software, but also the recently announced Server JRE as well.

Spilt coffeeClearly, things could have been worse. The fact that even if this vulnerability is exploited by malicious hackers, users are still prompted with a security dialog is better than nothing at all.

But it’s easy to imagine how simple social engineering would trick many users into granting permission for the malicious code to execute.

Once again, many computer users will be asking themselves whether it’s really worth having Java installed on their comnputers or not, looking to see when Oracle will confirm that the flaws exist, and then waiting for the inevitable security update for Java.

Oracle has been feeling the heat recently, after a spate of malware attacks have exploited holes in its Java product and given the software a reputation for lousy security. The fact (like Adobe PDF Reader and Flash) it is installed on so many computers makes it an attractive target for cybercriminals, who know that in all likelihood it will be present on potential victims’ computers.

It’s no wonder that some companies are seriously investigating whether they can afford to remove Java from their corporate computers. It’s not such a simple decision – as many organisations do rely upon bespoke software and websites that may still require Java.

Which meant it was good to hear the news last week that the Safari browser had been updated to offer an alternative to “all-and-nothing”, and now allows users to choose what Java applets should be run, and which should be blocked.

Here’s the best piece of advice we can give you at the moment:

If you don’t need Java enabled in your browser, here’s how to turn it off now

Many people who have Java enabled in their browser simply do not need it (By the way, don’t mix up Java with JavaScript – they’re different things), so the best solution for many folks is to rip Java out of their browser entirely.

If you don’t need Java, why put yourself at risk?

Want to know more about Java and security?

Listen to our “All about Java” Techknow podcast.

Listen to the podcast, duration 16’19”.