Despite Oracle’s Patch, New Java 7 Vulnerabilities Emerge

By Ken Presti
September 04, 2012 2:31 PM ET

Oracle last week issued a relatively rare unscheduled patch aimed at closing two vulnerabilities in Java 7 that opened the door to drive-by hacking. The security research group in Poland, which was instrumental in identifying the earlier vulnerabilities, now says it has found new weaknesses in Java 7 that enable a complete sandbox escape.

Researcher Ada Gowdiak of Security Explorations claims that after examining the patch that was issued last week, he has found that one of the adjustments to the application has inadvertently opened up a whole new door of exploitation.

"One of the fixes incorporated in the released update also addressed the exploitation vector with the use of the sun.awt.SunToolkit class," Gowdiak wrote in his blog, entitled, "BugTraq." "Removing getField and getMethod methods from the implementation of the aforementioned class caused all of our full sandbox bypass Proof of Concept codes not to work any more (please note, that not all security issues that were reported in Apr 2012 got addressed by the recent Java update)."

Gowdiak also indicated that he has sent a security vulnerability report to Oracle, along with a Proof of Concept code that "successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012)," and that the reason is because "a new security issue" was discovered that "made exploitation of some of our not yet addressed bugs possible to exploit again."

Many security experts suggested last week that Java 7 is expendable for most users and recommended that the service be disabled or deleted altogether.

"Unless you actually need Java, you might choose to remove it from your system because of the history of exploits that have come out through it," said Chris Astacio, manager of security research at Websense Labs. "Java is well known as a major attack vector for exploit kits. But if you absolutely do not need it, you're better off removing it altogether. Most consumer-type websites do not require it, but there are some application's internal to enterprises that may require it."

The software runs on literally hundreds of millions of machines, according to many reports.

PUBLISHED SEPT. 4, 2012

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	10 Security Companies That Have Scored CIA Funding CIA-funded venture firm invests millions in technology startups, mostly security firms. Find out which security companies won In-Q-Tel funding.
	Head-To-Head: Symantec Vs. McAfee In Endpoint Protection McAfee and Symantec are archrivals with a firm grip on the North American security market. CRN pits both vendors' endpoint security products against each other and names a winner.
	The 8 Steps Behind The Massive $45M Cyber Bank Heist More than $45 million was stolen from banks in the U.S. and 19 other countries in a scheme that law enforcement is calling an international conspiracy to drain millions from bank accounts using stolen debit cards and PIN numbers. Here's how they did it.
	More Slide Shows