Another Java Zero-Day Vulnerability Found


A Polish-based security research firm has discovered another zero-day vulnerability in Java.

According to Adam Gowdiak, the founder and CEO of Security Explorations, the latest bug is considered to be critical because it enables a complete Java security sandbox bypass in the environment of Java SE 5 (Update 22), SE 6 (Update 35) and SE 7 (Update 7). The net result would be the ability to install remote code.

The vulnerability is believed to impact both PCs and Macs using Java.

[Related: Oracle Issues Patch to Close Java 7 Vulnerability]

The tests were said to be conducted with a fully patched Windows 7 32-bit system and with a wide range of browsers. The bug also allows the violation of a fundamental security constraint of a Java Virtual Machine.

In Gowdiak's message to recipients of his Full Disclosure mailing list, he said, "To fulfill the Pro Bono mission of our SE-2012-01 project, we have provided Oracle corporation with a technical description of the issue found along with a source and binary codes of our Proof of Concept code demonstrating a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7."

At this point, there is no evidence suggesting that this potential zero-day exploit has been seen in the wild. It is expected that the bug will be patched in a few weeks, within the scope of a regularly scheduled Oracle update. In order to help prevent cyber criminals from leveraging the glitch, Gowdiak stopped short of publicly explaining precisely how the exploit works. A full description, however, has been conveyed to Oracle.

Last month, Java 7 was under attack, using exploits that eventually made their way into Black Hole and into similar tool kits that are used by both the white-hat and the black-hat communities.

Java has emerged as a substantial target, largely because it is so widely deployed across the globe, running on literally hundreds of millions of machines, according to several accounts. However, experts say that it is often expendable, based on specific user requirements.

"Unless you actually need Java, you might choose to remove it from your system because of the history of exploits that have come out through it," said Chris Astacio, manager of security research at Websense Labs. "Java is well known as a major attack vector for exploit kits. But if you absolutely do not need it, you're better off removing it altogether. Most consumer type websites do not require it, but there are some application's internal to enterprises that may require it."

PUBLISHED SEPT. 26, 2012