Another Week, Another Java Security Issue Found
Polish security start-up Security Explorations has found another hole that allows hackers to bypass critical security measures, affecting Java SE 5, 6 and 7 - the last eight year's worth of Java releases. According to the company the following Java versions are vulnerable:
- Java SE 5 Update 22 (build 1.5.0_22-b03)
- Java SE 6 Update 35 (build 1.6.0_35-b10)
- Java SE 7 Update 7 (build 1.7.0_07-b10)
“The impact of this issue is critical—we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6, and 7,” Adam Gowdiak of Security Explorations wrote.
Security Explorations tested the exploit on a fully patched Windows 7 32-bit computer with Chrome, Firefox, Internet Explorer, Opera, and Safari. Although testing was limited to Windows 7 32-bit versions, Gowdiak confirmed to InfoQ that the vulnerability is platform independent and “can be successfully exploited on all supported platforms provided that Oracle Java Plugin is installed and enabled in a target web browser”.
In terms of what the exploit would allow a hacker to do, Gowdiak told us that
A malicious Java applet or application exploiting this issue could run unrestricted in the context of a target Java process such as a web browser application. An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user. In our proof of concept code we create a file and execute "notepad.exe".
Security Explorations have so far found a total of 50 Java flaws and you can see a timeline for them here. Of these Gowdiak told us:
- 31 issues were reported to Oracle (17 different complete sandbox bypass exploits)
- 2 Issues were reported to Apple (1 complete sandbox bypass exploit)
- 17 issues were reported to IBM (10 different complete sandbox bypass exploits).
While this latest is not thought to be being exploited in the wild yet, another that was being exploited was patched by Oracle last month, reportedly four months after Oracle learned of the vulnerability. Oracle has confirmed this new issue, and according to Gowdiak they are evaluating fixes. It will be interesting to see if a fix is included in the next Java SE update scheduled for release on the16th Oct 2012. We did contact Oracle for a comment but haven't received a reply at the time of publication.
Christian Legnitto Dec 12, 2013
Ian Culling, Andy Powell & Lee Cunningham Dec 11, 2013