Despite Oracle’s Patch, New Java 7 Vulnerabilities Emerge

By Ken Presti
September 04, 2012 2:31 PM ET

Oracle last week issued a relatively rare unscheduled patch aimed at closing two vulnerabilities in Java 7 that opened the door to drive-by hacking. The security research group in Poland, which was instrumental in identifying the earlier vulnerabilities, now says it has found new weaknesses in Java 7 that enable a complete sandbox escape.

Researcher Ada Gowdiak of Security Explorations claims that after examining the patch that was issued last week, he has found that one of the adjustments to the application has inadvertently opened up a whole new door of exploitation.

"One of the fixes incorporated in the released update also addressed the exploitation vector with the use of the sun.awt.SunToolkit class," Gowdiak wrote in his blog, entitled, "BugTraq." "Removing getField and getMethod methods from the implementation of the aforementioned class caused all of our full sandbox bypass Proof of Concept codes not to work any more (please note, that not all security issues that were reported in Apr 2012 got addressed by the recent Java update)."

Gowdiak also indicated that he has sent a security vulnerability report to Oracle, along with a Proof of Concept code that "successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012)," and that the reason is because "a new security issue" was discovered that "made exploitation of some of our not yet addressed bugs possible to exploit again."

Many security experts suggested last week that Java 7 is expendable for most users and recommended that the service be disabled or deleted altogether.

"Unless you actually need Java, you might choose to remove it from your system because of the history of exploits that have come out through it," said Chris Astacio, manager of security research at Websense Labs. "Java is well known as a major attack vector for exploit kits. But if you absolutely do not need it, you're better off removing it altogether. Most consumer-type websites do not require it, but there are some application's internal to enterprises that may require it."

The software runs on literally hundreds of millions of machines, according to many reports.

PUBLISHED SEPT. 4, 2012

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	Tech 10: Hot Antivirus Alternatives For 2013 CRN identifies 10 vendors that have developed innovative ways to detect malware and analyze threats to better protect corporate networks. They take a giant step beyond traditional signature technologies.
	10 Emerging Security Technologies Gaining Interest, Adoption Despite some security defenses being only in their infancy, they are attracting interest for addressing BYOD issues, cloud security concerns and stolen account credentials. Here's a look at some of the top new security areas gaining industry interest.
	5 Government Intelligence Facilities You've Never Heard Of One facility has been around since the dawn of space exploration, while other buildings are still in construction. But, they all have serious data analysis and surveillance support activities associated with them.
	More Slide Shows