Another Java Zero-Day Vulnerability Found

By Ken Presti
September 26, 2012 1:52 PM ET

A Polish-based security research firm has discovered another zero-day vulnerability in Java.

According to Adam Gowdiak, the founder and CEO of Security Explorations, the latest bug is considered to be critical because it enables a complete Java security sandbox bypass in the environment of Java SE 5 (Update 22), SE 6 (Update 35) and SE 7 (Update 7). The net result would be the ability to install remote code.

The vulnerability is believed to impact both PCs and Macs using Java.

The tests were said to be conducted with a fully patched Windows 7 32-bit system and with a wide range of browsers. The bug also allows the violation of a fundamental security constraint of a Java Virtual Machine.

In Gowdiak's message to recipients of his Full Disclosure mailing list, he said, "To fulfill the Pro Bono mission of our SE-2012-01 project, we have provided Oracle corporation with a technical description of the issue found along with a source and binary codes of our Proof of Concept code demonstrating a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7."

At this point, there is no evidence suggesting that this potential zero-day exploit has been seen in the wild. It is expected that the bug will be patched in a few weeks, within the scope of a regularly scheduled Oracle update. In order to help prevent cyber criminals from leveraging the glitch, Gowdiak stopped short of publicly explaining precisely how the exploit works. A full description, however, has been conveyed to Oracle.

Last month, Java 7 was under attack, using exploits that eventually made their way into Black Hole and into similar tool kits that are used by both the white-hat and the black-hat communities.

Java has emerged as a substantial target, largely because it is so widely deployed across the globe, running on literally hundreds of millions of machines, according to several accounts. However, experts say that it is often expendable, based on specific user requirements.

"Unless you actually need Java, you might choose to remove it from your system because of the history of exploits that have come out through it," said Chris Astacio, manager of security research at Websense Labs. "Java is well known as a major attack vector for exploit kits. But if you absolutely do not need it, you're better off removing it altogether. Most consumer type websites do not require it, but there are some application's internal to enterprises that may require it."

PUBLISHED SEPT. 26, 2012

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	Head-To-Head: Symantec Vs. McAfee In Endpoint Protection McAfee and Symantec are archrivals with a firm grip on the North American security market. CRN pits both vendors' endpoint security products against each other and names a winner.
	The 8 Steps Behind The Massive $45M Cyber Bank Heist More than $45 million was stolen from banks in the U.S. and 19 other countries in a scheme that law enforcement is calling an international conspiracy to drain millions from bank accounts using stolen debit cards and PIN numbers. Here's how they did it.
	Name Of The Game: Top 10 States For Identity Theft A Federal Trade Commission report provides statistics on identity theft and fraud complaints in 2012. Learn which state has the dubious distinction of having the most victims.
	More Slide Shows