Another Serious Java Flaw Emerges

Thomas Brewster,

Another Java SE flaw for Oracle to deal with

Zero-days in Java may have only just been fixed by Oracle, but details of a new critical flaw have now been detailed, leaving users open to more attacks.

Worryingly, Java SE versions 5, 6 and 7 are all affected, according to Security Explorations, the same firm that recently discovered vulnerabilities in Java that hackers exploited in a variety of ways. However, there have been no reported attacks in the wild.

“The impact of this issue is critical – we were able to successfully exploit it and achieve a complete Java security sandbox bypass,” Security Explorations CEO Adam Gowiak explained.

Is Java a joke?

The company showed how it could exploit the flaw in a Windows 7 32-bit machine, across a variety of widely-used browsers, including Firefox 15.0.1, Google Chrome 21.0.1180.89 and Internet Explorer 9.0.8112.16421, Gowiak said.

“We have provided Oracle Corporation with a technical description of the issue found along with a source and binary codes of our Proof of Concept code demonstrating a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7,” he added.

“We hope that a news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not gonna spoil the taste of Larry Ellison’s morning.”

Gowdiak recently told TechWeekEurope his firm had discovered another serious vulnerability in Java, but did not go into detail. The company has found as many as 50 flaws in Java to date.

At the time of publication, Oracle had not responded to a request for comment on the fresh flaw.

Security Explorations will be hoping Oracle doesn’t take as long as it did when addressing the recently-exploited Java zero-day – a reported four months. But Gowdiak told TechWeekEurope today that he had been impressed by Oracle’s initial response.

“Yesterday, Oracle confirmed the newly discovered issue. This was the first time the company has provided us with a bug confirmation the same day it was reported,” he said. “We find this to be a positive sign and a potential indication of prompt work on a fix as well.

“We can’t force Oracle into doing anything. We can only believe that recent events will lead to proper conclusions and changes in the company’s security-related processes.”

Gowdiak is keen for Oracle to adopt a more flexible patching cycle. He advised users to disable the Java plugin for their browsers until a fix had been issued.

Are you a security guru? Try our quiz!