Despite Oracle’s Patch, New Java 7 Vulnerabilities Emerge2:31 PM EST Tue. Sep. 04, 2012
Oracle last week issued a relatively rare unscheduled patch aimed at closing two vulnerabilities in Java 7 that opened the door to drive-by hacking. The security research group in Poland, which was instrumental in identifying the earlier vulnerabilities, now says it has found new weaknesses in Java 7 that enable a complete sandbox escape.
Researcher Ada Gowdiak of Security Explorations claims that after examining the patch that was issued last week, he has found that one of the adjustments to the application has inadvertently opened up a whole new door of exploitation.
"One of the fixes incorporated in the released update also addressed the exploitation vector with the use of the sun.awt.SunToolkit class," Gowdiak wrote in his blog, entitled, "BugTraq." "Removing getField and getMethod methods from the implementation of the aforementioned class caused all of our full sandbox bypass Proof of Concept codes not to work any more (please note, that not all security issues that were reported in Apr 2012 got addressed by the recent Java update)."
Gowdiak also indicated that he has sent a security vulnerability report to Oracle, along with a Proof of Concept code that "successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012)," and that the reason is because "a new security issue" was discovered that "made exploitation of some of our not yet addressed bugs possible to exploit again."
Many security experts suggested last week that Java 7 is expendable for most users and recommended that the service be disabled or deleted altogether.
"Unless you actually need Java, you might choose to remove it from your system because of the history of exploits that have come out through it," said Chris Astacio, manager of security research at Websense Labs. "Java is well known as a major attack vector for exploit kits. But if you absolutely do not need it, you're better off removing it altogether. Most consumer-type websites do not require it, but there are some application's internal to enterprises that may require it."
The software runs on literally hundreds of millions of machines, according to many reports.
PUBLISHED SEPT. 4, 2012