Another Week, Another Java Security Issue Found

| by Charles Humble Follow 868 Followers on Oct 04, 2012. Estimated reading time: 1 minute |

Polish security start-up Security Explorations has found another hole that allows hackers to bypass critical security measures, affecting Java SE 5, 6 and 7 - the last eight year's worth of Java releases. According to the company the following Java versions are vulnerable:

  • Java SE 5 Update 22 (build 1.5.0_22-b03)
  • Java SE 6 Update 35 (build 1.6.0_35-b10)
  • Java SE 7 Update 7 (build 1.7.0_07-b10)

“The impact of this issue is critical—we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6, and 7,” Adam Gowdiak of Security Explorations wrote.

Security Explorations tested the exploit on a fully patched Windows 7 32-bit computer with Chrome, Firefox, Internet Explorer, Opera, and Safari. Although testing was limited to Windows 7 32-bit versions, Gowdiak confirmed to InfoQ that the vulnerability is platform independent and “can be successfully exploited on all supported platforms provided that Oracle Java Plugin is installed and enabled in a target web browser”.

In terms of what the exploit would allow a hacker to do, Gowdiak told us that

A malicious Java applet or application exploiting this issue could run unrestricted in the context of a target Java process such as a web browser application. An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user. In our proof of concept code we create a file and execute "notepad.exe".

Security Explorations have so far found a total of 50 Java flaws and you can see a timeline for them here. Of these Gowdiak told us:

  • 31 issues were reported to Oracle (17 different complete sandbox bypass exploits)
  • 2 Issues were reported to Apple (1 complete sandbox bypass exploit)
  • 17 issues were reported to IBM (10 different complete sandbox bypass exploits).

While this latest is not thought to be being exploited in the wild yet, another that was being exploited was patched by Oracle last month, reportedly four months after Oracle learned of the vulnerability. Oracle has confirmed this new issue, and according to Gowdiak they are evaluating fixes. It will be interesting to see if a fix is included in the next Java SE update scheduled for release on the16th Oct 2012. We did contact Oracle for a comment but haven't received a reply at the time of publication.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Educational Content

Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you