News

Researchers find another Java security flaw

Researchers from a Poland-based vulnerability research firm on Friday announced that they had found vulnerabilities in Java 7 Update 11 that can be exploited to bypass the software’s security sandbox and execute arbitrary code on computers.

Oracle released Java 7 Update 11 last Sunday as an emergency security update in order to block a zero-day exploit used by cybercriminals to infect computers with malware.

Security Explorations successfully confirmed that a complete Java security sandbox bypass can be still be achieved under Java 7 Update 11 (JRE version 1.7.0_11-b21) by exploiting two new vulnerabilities discovered by the company’s researchers, Adam Gowdiak, the company’s founder, said Friday in a message sent to the Full Disclosure mailing list. The vulnerabilities were reported to Oracle on Friday, together with working proof-of-concept exploit code, he said.

According to Security Explorations’ disclosure policy, technical details about the vulnerabilities will not be publicly disclosed until the vendor issues a patch.

Researchers from security firm Immunity, who analyzed the exploit being used by cybercriminals since last week, concluded that it also combined two vulnerabilities to achieve a Java sandbox escape. However, they later said in a blog post that Java 7 Update 11 only addressed one of them and warned that if attackers find another vulnerability to replace the patched one, a new exploit can be created.

The vulnerabilities discovered by Security Explorations are separate from the one left unpatched by Oracle in Java 7 Update 11, Gowdiak said on Friday via email.

Some security researchers, including those from the U.S. Computer Emergency Readiness Team (US-CERT), continued to advise users to disable the Java browser plug-in despite the release of Java 7 Update 11, citing concerns that similar attacks might occur in the future.

“There is definitely something worrying regarding the quality of Java SE 7 code,” Gowdiak said. This could suggest the lack of a proper Secure Development Lifecycle program for Java or some other problems that are internal to Oracle, he said.

That said, the fact that Java 7 Update 11 asks for users’ confirmation before allowing Java applets to be executed inside browsers is definitely a step in the right direction and could block many attacks, Gowdiak said.

Previous ArticleNext Article

Leave a Reply

GET TAHAWUL TECH IN YOUR INBOX

The free newsletter covering the top industry headlines

Send this to a friend