New Java Security Exploit

New Java Security Exploit

Seems like its not the best time to be running Java or to be working over at Oracle. Hot on the heels of a highly publicised critical zero-day exploit affecting Java 7 and which was only patched in August, computer security firm ‘Security Explorations’ has revealed another even more serious vulnerability present in all versions of Java 5, 6 & 7, and not fixed in the most recent critical update patch.

An estimated 1 billion people world wide are running Java across Windows, MacOSX & Linux systems so that is a huge target area for attackers. This is the 50th Java flaw that ‘Security Explorations’ has found this year, to varying degrees of seriousness.

A posting by ‘Security Explorations’ on the Full Disclosure mailing list detailed the issue, but stopped short of letting proof of concepts out into the wild, which were quickly adopted by attackers during the last exploit.

Oracle is yet to comment or issue a statement based on the news. However, given Java was acquired by Oracle after Java 5+, one assumes this exploit has been present long before their acquisition of Sun/Java.

Adam Gowdiak, CEO of ‘Security Explorations’ has detailed the vulnerability as completely bypassing the intended security of the Java sandbox environment, allowing for unrestricted privilege escalation by an attacker. Similar to the previous flaw, only reportedly worse.

Gowdiak: A malicious Java applet or application exploiting this new issue could run unrestricted in the context of a target Java process such as a web browser application. An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user.

An article and interview with Gowdiak by Darlene Storm can be viewed on ComputerWorld.

A number of users who took to disabling Java in their browsers until the previous vulnerability was patched may wish to do so again. One hopes a patch will be released much faster than the last vulnerability, which was seized upon extremely quickly by attackers seeking to exploit the security hole, leaving Windows, Mac OSX & Linux users running Java wide open to a range of exploits and malware.