Hit Parade: Oracle Faces Yet Another New Java Bug

By Robert Westervelt
April 24, 2013 10:53 AM ET

Oracle faces a newly discovered Java security vulnerability with the finding of a potential coding error that could enable attackers to bypass security restrictions and gain access to a victim's machine.

The security flaw, discovered in all versions of Java SE 7, impacts both client-side and server-side implementations of Java, according to Adam Gowdiak ,a security researcher at Security Explorations, based in Poland. Gowdiak said Monday that Oracle was notified about the discovery and provided with proof-of-concept code exploiting the vulnerability.

"Successful exploitation in a Web browser scenario requires proper user interaction," Gowdiak wrote in his announcement posted to the Full Disclosure mailing list. It can be used to achieve a complete Java security sandbox bypass on a target system."

The working exploit does not bypass click-to-play, requiring users to accept a pop-up security warning in order to run the malicious applet in the browser. Oracle has not yet confirmed the vulnerability.

The vulnerability could have been worse, said Graham Cluley, a senior security consultant at Sophos. Cluley said consumers can choose to remove Java altogether, but enterprise users may have a greater need for the software.

"The fact that even if this vulnerability is exploited by malicious hackers, users are still prompted with a security dialog is better than nothing at all," Cluley wrote in the Sophos Labs blog. "Oracle has been feeling the heat recently, after a spate of malware attacks have exploited holes in its Java product and given the software a reputation for lousy security."

Security firm F-Secure said on Tuesday that it detected ongoing attacks targeting the latest vulnerabilities patched by Oracle in an update issued last week. The attacks emerged a day after the exploits were added to the Metasploit penetration tool. The Metasploit module enables the user to run code outside the Java Sandbox.

Oracle issued a critical Java update repairing 42 vulnerabilities April 17. Oracle said 19 of the flaws are extremely critical, carrying the maximum score in the Common Vulnerability Scoring System.

PUBLISHED APRIL 24, 2013

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

	5 Ways To Avoid A Stolen Password Pitfall Avoiding having your email or Facebook account hijacked or bank account drained takes a little work, but following these steps can greatly reduce the risk.
	5 Phishing Attack Trends You May Have Missed Phishing attackers change their tactics often, and a new report issued by the Anti-Phishing Working Group found the latest techniques have boosted the speed and efficiency of their campaigns.
	Verizon Analysis: Top 10 Causes Behind Data Breaches Attackers are stealing account credentials and bypassing security systems as valid users, according to Verizon's analysis of 621 breaches that occurred in 2012.
	More Slide Shows