Just last week Oracle issued a critical security patch for Java, and strongly advised computer users to update their systems as soon as possible.
If you did update your Java installation, give yourself a pat on the back.
Done that? Good. Because, unfortunately, the celebrations need to be short-lived as a security researcher now claims to have found yet another as-yet-unpatched flaw, which affects all versions of Java SE 7.
Adam Gowdiak, of Polish Security Explorations, has made a name for himself in the past discovering numerous Java zero-day vulnerabilities.
In an internet posting, Gowdiak claims to have sent to Oracle a report about a reflection API vulnerability in the newly shipped Server Java Runtime Environment (JRE), notifying them of the new security weakness.
The report filed with Oracle’s security team was accompanied by proof-of-concept code, making it easy for the software vendor to test the exploit for themselves.
[The exploit] can be used to achieve a complete Java security sandbox bypass on a target system. Successful exploitation in a web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed).
What's interesting is that the new issue is present not only in JRE Plugin / JDK software, but also the recently announced Server JRE as well.
Clearly, things could have been worse. The fact that even if this vulnerability is exploited by malicious hackers, users are still prompted with a security dialog is better than nothing at all.
But it’s easy to imagine how simple social engineering would trick many users into granting permission for the malicious code to execute.
Once again, many computer users will be asking themselves whether it’s really worth having Java installed on their comnputers or not, looking to see when Oracle will confirm that the flaws exist, and then waiting for the inevitable security update for Java.
Oracle has been feeling the heat recently, after a spate of malware attacks have exploited holes in its Java product and given the software a reputation for lousy security. The fact (like Adobe PDF Reader and Flash) it is installed on so many computers makes it an attractive target for cybercriminals, who know that in all likelihood it will be present on potential victims’ computers.
It’s no wonder that some companies are seriously investigating whether they can afford to remove Java from their corporate computers. It’s not such a simple decision – as many organisations do rely upon bespoke software and websites that may still require Java.
Which meant it was good to hear the news last week that the Safari browser had been updated to offer an alternative to “all-and-nothing”, and now allows users to choose what Java applets should be run, and which should be blocked.
Here’s the best piece of advice we can give you at the moment:
If you don’t need Java enabled in your browser, here’s how to turn it off now
If you don’t need Java, why put yourself at risk?
Want to know more about Java and security?
Listen to our “All about Java” Techknow podcast.
Listen to the podcast, duration 16’19”.
7 comments on “Yet another unpatched security hole found in Java”
Of course, if security "researchers" would quit announcing to the entire world every hole in security they find, then malware authors would not have a research department to find exploitable items for them!
"If you don't need Java, why put yourself at risk?"
I suspect that for the majority of users, it's the answer to the first part of the question that provides the stumbling block of uncertainty. The more fundamental question is, "How can I tell whether I need Java?"
For my part, I figured it out by trial and error. I disabled Java in my regular browser. In the course of normal browsing I found only website that requires Java. (It's a financial services website I visit monthly for periodic transactions.) So, within a one-month period, I determined that there was only one website that requires Java. I use one browser that has the Java applet enabled for that website. For everything else I use my regular browser, in which Java is disabled.
There might be another way to do it, but that's what worked for me.
Does this mean my refrigerator is in peril?
Bob, you need to check your history a bit. Adobe's track record on security was abysmal. It's still not good, but it's passable.
Security groups used to privately send Adobe information about issues they found. Adobe would frequently take 3-6 MONTHS to get a patch released.
It was not until security researchers started saying, "You know what? You've got X days, Adobe, and then we're releasing this information to the public." Adobe was basically embarrassed into producing patches more rapidly.
In this specific case, the researchers sent Adobe proof-of-concept code so they could fix the issue.
So, my thought on these researchers is "GREAT JOB! Keep up the good work!"
Nigel, that's a GREAT idea! Thanks!
Especially the mouseover text.
Whilst it's easy to beat up on Oracle, they truly deserve it!
Every week or two they trot out a new urgent security update that forces us into another round of compatibility testing and certification against our product. Each time, the 'improved' version requires a more complex fix than the last. Then we get to notify the customers just in time for another urgent update to be released…
Oracle, sort it out now! You're pushing the boundaries of what your customers (and theirs) will tolerate.
Why would I use Java in my products when the majority of the industry is telling people to remove it? Java hurts my products credibility!
I agree with Scott and a great idea Nigel! (+1 both of you)