Critical zero-day Java vulnerability discovered

by Mark Tyson on 27 September 2012, 12:30

Tags: Oracle (NASDAQ:ORCL), PC

Quick Link: HEXUS.net/qabmyf

Add to My Vault: x

Polish computer security research firm Security Explorations have detailed a new critical Java vulnerability. According to Security Explorations researcher Adam Gowdiak, the newly discovered Java exploit affects one billion users of Oracle Java SE software.” He added that via a malicious Java app “An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user.”

Writing on the Full Disclosure mailing list Mr Gowdiak says that the newly found Java flaw affects “all latest versions of Oracle Java SE software”. Whereas August’s previous critical exploit affected only version 7 of the software the new vulnerability allows “a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7”. The security tests were done on a fully patched Windows 7 system and using up to date browsers including; Firefox 15.0.1, Google Chrome 21.0.1180.89, Internet Explorer 9.0.8112.16421 (update 9.0.10), Opera 12.02 (build 1578) and Safari 5.1.7 (7534.57.2). Java isn’t of course limited to Windows platforms so other computer platform users will need to also be aware of this vulnerability.

Darlene Storm, writing on the oddly named Security is Sexy blog at ComputerWorld, interviewed Mr Gowdiak about the new critical vulnerability discovery. He told her that “A malicious Java applet or application exploiting this new issue could run unrestricted in the context of a target Java process such as a web browser application. An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user.” Ms Storm asked Mr Gowdiak “What security advice do you have for the one billion Java users at risk?” To which Mr Gowdiak replied “Taking into account the risk posed by the bug uncovered, it is the best to disable Java Plugin in the web browser and wait for the patches from Oracle. There are still 3 weeks till the scheduled Java Oct CPU [Critical Patch Update], so it might be possible that the bug will be addressed by the company on 16 Oct 2012.”

As yet there are no reports of this flaw being found in malware exploits according to c|net. If you are unsure whether you need Java or not it is advised you disable or uninstall it to see if any of your essential web apps depend upon it. For me the only page I ever visit requiring Java is the ADVFN live stock monitor, which I can live without because there are alternatives.



HEXUS Forums :: 5 Comments

Login with Forum Account

Don't have an account? Register today!
i have just updated last night !!!
Another so soon? There was one last month! -.- Get it together chaps :)
Also if we don't visit dodgey sites as a rule, we'll be fine?
We should have a news article when there isn't a daily Java exploit. Feels like it needs patching every day.
Feels like it tries to update every day as well ;)

AFAICT from the story you need to run a maliciously crafted java application (I don't think there are applets any more, since that part of the api got deprecated when I was learning java in 2005!) to be vulnerable, so as long as you've got sensible restrictions in place about what websites can run java and the sites you use are reasonably secure you should be alright. Not great though.
scaryjim
Feels like it tries to update every day as well ;)

AFAICT from the story you need to run a maliciously crafted java application (I don't think there are applets any more, since that part of the api got deprecated when I was learning java in 2005!) to be vulnerable, so as long as you've got sensible restrictions in place about what websites can run java and the sites you use are reasonably secure you should be alright. Not great though.

Java applets are not deprecated still in the API and supported by all the browsers, although they are rarely actually used these days.

docs.oracle.com/javase/7/docs/api/java/applet/Applet.html