Categories: SecurityWorkspace

Another Serious Java Flaw Emerges

Zero-days in Java may have only just been fixed by Oracle, but details of a new critical flaw have now been detailed, leaving users open to more attacks.

Worryingly, Java SE versions 5, 6 and 7 are all affected, according to Security Explorations, the same firm that recently discovered vulnerabilities in Java that hackers exploited in a variety of ways. However, there have been no reported attacks in the wild.

“The impact of this issue is critical – we were able to successfully exploit it and achieve a complete Java security sandbox bypass,” Security Explorations CEO Adam Gowiak explained.

Is Java a joke?

The company showed how it could exploit the flaw in a Windows 7 32-bit machine, across a variety of widely-used browsers, including Firefox 15.0.1, Google Chrome 21.0.1180.89 and Internet Explorer 9.0.8112.16421, Gowiak said.

“We have provided Oracle Corporation with a technical description of the issue found along with a source and binary codes of our Proof of Concept code demonstrating a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7,” he added.

“We hope that a news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not gonna spoil the taste of Larry Ellison’s morning.”

Gowdiak recently told TechWeekEurope his firm had discovered another serious vulnerability in Java, but did not go into detail. The company has found as many as 50 flaws in Java to date.

At the time of publication, Oracle had not responded to a request for comment on the fresh flaw.

Security Explorations will be hoping Oracle doesn’t take as long as it did when addressing the recently-exploited Java zero-day – a reported four months. But Gowdiak told TechWeekEurope today that he had been impressed by Oracle’s initial response.

“Yesterday, Oracle confirmed the newly discovered issue. This was the first time the company has provided us with a bug confirmation the same day it was reported,” he said. “We find this to be a positive sign and a potential indication of prompt work on a fix as well.

“We can’t force Oracle into doing anything. We can only believe that recent events will lead to proper conclusions and changes in the company’s security-related processes.”

Gowdiak is keen for Oracle to adopt a more flexible patching cycle. He advised users to disable the Java plugin for their browsers until a fix had been issued.

Are you a security guru? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago