BT

Java Still Vulnerable, Despite Latest Patches

by Charles Humble on Apr 24, 2013 |

Just days after the latest fix, security researcher Adam Gowdiak has found another Java vulnerability. In the accompanying disclosure post Gowdiak notes that the Reflection API flaw affects all versions of Java SE 7 and, "can be used to achieve a complete Java security sandbox bypass on a target system". The vulnerability exists in both the plug-in/JDK software, and also in the Server JRE. Exploitation via the web browser does require a user "to accept the risk of executing a potentially malicious Java application when a security warning window is displayed," Gowdiak wrote.

Gowdiak states that his company, Security Explorations, has sent the vulnerability report along with proof-of-concept code to Oracle.

Security Explorations first contacted Oracle about security problems in Java SE 7 and the Reflections API in particular as far back as April 2012, however "it looks," according to Gowdiak, "like Oracle was primarily focussed on hunting down potentially dangerous Reflection API calls in the "allowed" classes space" - i.e. Classes that things like untrusted applets and Web Start applications have access to.

The fact that this latest venerability also impacts the Server JRE makes it somewhat unusual. Last week, Oracle released a patch covering another 42 flaws, 19 of which had a 10 (most severe) rating according to the CVSS metric the company uses for evaluation. The majority of these exploits apply to client-side Java however, and can only be exploited through untrusted applets and Web Start applications.

The patch for them arrived just in time. According to a short blog post published by Timo Hirvonen, a researcher from anti virus provider F-Secure, attacks using one of the remote-code-execution vulnerabilities (CVE-2013-2423) have begun showing up in the wild, probably after being added to the CrimeBossCool and CritX exploit kits, as well as penetration testing product Metasploit. RedKit was also reported at one point, but Hirvonen confirmed to InfoQ that this was caused by incorrect reporting from F-Secure's automated tooling.

This news follows a difficult few months for Java on the security front. After several months of negative press Oracle's recently appointed Head of Java Security, Milton Smith, stated on a conference call in January that the Oracle would focus on fixing issues and improving communication to community members.

Java hit the headline again the following month when a zero day flaw in Java was exploited by hackers targeting multiple companies including Apple, Facebook, Microsoft and probably Twitter.

Oracle's need to focus more resources on the ongoing battle with Java's security problems has also been cited as a reason for JDK 8 slipping to 2014.

InfoQ contacted Oracle for a comment on this story but they declined.

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT