Search
Homepage Rankings and Research Companies Channelcast Marketing Matters CRNtv Events WOTC Cisco Partner Summit Digital 2020 NetApp Digital Newsroom HPE Zone The Business Continuity Center Enterprise Tech Provider Masergy Zenith Partner Program Newsroom HP Reinvent Digital Newsroom Hitachi Vantara Digital Newsroom IBM Newsroom Juniper Newsroom Intel Partner Connect 2021 Avaya Newsroom Experiences That Matter The IoT Integrator Intel Tech Provider Zone NetApp Data Fabric WatchGuard Digital Newsroom

Security Researcher Outs 5 New Java Zero-Day Flaws

New Java Zero-day Flaws uncovered by Security Explorations, a Poland-based vulnerability research firm, can be used by an attacker to execute code on a victim's computer.

Poland-based Security Explorations, which has been in a dispute with Oracle over the vendor's denial of a recent finding, said Monday that it discovered five additional flaws in Java SE. Two of the vulnerabilities could be used by an attacker to execute code on a victim's machine, the firm said. Security researcher and company CEO Adam Gowdiak said the two security issues combined together can bypass the sandbox environment in Java SE 7 Update 15.

"Our vulnerability report along with a working Proof of Concept code was submitted to Oracle today," wrote Gowdiak in a security advisory posted on the Full Disclosure Mailing list.

[Related: Malware Rising: Trojans Dominate Rankings, Study Finds ]

Gowdiak said the attack breaks security checks recently added by Oracle to Java SE. There were also some code fragments missing proper security checks, he said. Gowdiak warned that some of the flaws could affect earlier versions of Java SE, but currently the findings have been successfully tested on Java SE 7 only.

Oracle has not publicly acknowledged any of the findings. A company spokesperson responded to an inquiry from CRN saying it was looking into the matter.

Last week, researchers at security firm FireEye said it detected a brand-new Java Zero-day vulnerability that was used to attack multiple customers. Successful exploitation enables an attacker to download a remote access Trojan onto a victim's machine, FireEye said in a blog post.

"We have notified Oracle and will continue to work with Oracle on this in-the-wild discovery," the company said.

FireEye is urging users to disable Java in the browser until a patch is released. As a workaround, users can set their Java security settings to high to prevent Java applets outside of the organization from running.

Java has come under increased pressure in recent months following a documented rise in attacks targeting the ubiquitous programming language. The company issued an emergency update in February following ongoing attacks targeting a known Java Zero-day flaw.

Eric Maurice, director of software assurance at Oracle, said the company was speeding up its patching cycle to more immediately address issues. The "intent is to continue to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers," Maurice wrote in a blog entry last month. The next regularly scheduled security update for Java SE is slated for April 16.

PUBLISHED MARCH 4, 2013

Back to Top

Video

     

    trending stories

    sponsored resources