BT

Another Week, Another Java Security Issue Found

by Charles Humble on Oct 04, 2012 |

Polish security start-up Security Explorations has found another hole that allows hackers to bypass critical security measures, affecting Java SE 5, 6 and 7 - the last eight year's worth of Java releases. According to the company the following Java versions are vulnerable:

  • Java SE 5 Update 22 (build 1.5.0_22-b03)
  • Java SE 6 Update 35 (build 1.6.0_35-b10)
  • Java SE 7 Update 7 (build 1.7.0_07-b10)

“The impact of this issue is critical—we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6, and 7,” Adam Gowdiak of Security Explorations wrote.

Security Explorations tested the exploit on a fully patched Windows 7 32-bit computer with Chrome, Firefox, Internet Explorer, Opera, and Safari. Although testing was limited to Windows 7 32-bit versions, Gowdiak confirmed to InfoQ that the vulnerability is platform independent and “can be successfully exploited on all supported platforms provided that Oracle Java Plugin is installed and enabled in a target web browser”.

In terms of what the exploit would allow a hacker to do, Gowdiak told us that

A malicious Java applet or application exploiting this issue could run unrestricted in the context of a target Java process such as a web browser application. An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user. In our proof of concept code we create a file and execute "notepad.exe".

Security Explorations have so far found a total of 50 Java flaws and you can see a timeline for them here. Of these Gowdiak told us:

  • 31 issues were reported to Oracle (17 different complete sandbox bypass exploits)
  • 2 Issues were reported to Apple (1 complete sandbox bypass exploit)
  • 17 issues were reported to IBM (10 different complete sandbox bypass exploits).

While this latest is not thought to be being exploited in the wild yet, another that was being exploited was patched by Oracle last month, reportedly four months after Oracle learned of the vulnerability. Oracle has confirmed this new issue, and according to Gowdiak they are evaluating fixes. It will be interesting to see if a fix is included in the next Java SE update scheduled for release on the16th Oct 2012. We did contact Oracle for a comment but haven't received a reply at the time of publication.

Hello stranger!

You need to Register an InfoQ account or to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2013 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT