Categories: SecurityWorkspace

Two More Java Flaws Emerge

Yet more Java vulnerabilities have been uncovered, as security professionals fret about the quality of Oracle’s patch issued last weekend.

Security Essentials, the Polish firm that has been particularly adept at finding holes in Java, said it told Oracle about the two fresh vulnerabilities it had uncovered on Friday. The company did not go into detail about what the fresh flaws were and how they could be exploited.

“We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21),” a post on the Seclists.org Full Disclosure site.

Java security

Oracle has been plagued with Java problems this month, with one zero-day flaw exploited via various malicious kits, which sought to serve up malware via hacked websites. It eventually released a fresh version of Java and believed it had covered that flaw.

But security professionals agreed the patch was incomplete and that Java should be disabled by all those who don’t need it. Others have pointed to inherent security problems in Java, which Oracle may have trouble rectifying.

“The Java applet security model has not kept up with up with browser-based threats. In an era where sandboxing at the process level has become the norm (Adobe Reader, Flash on Chrome, Chrome itself, Internet Explorer low-privacy mode), Java continues to enforce all security at the interpreter level,” said CSO at security firm Rapid7, and chief architect of Metasploit, HD Moore.

“If Oracle wants Java to be successful within the browser they will need to make serious investments into the security model and their ability to respond quickly to new threats.

“Java would benefit from a process-level sandbox and a drastic change in the APIs available to untrusted applets.”

Others have slightly stronger opinions on what Oracle should do. “Oracle should just take a mulligan and redesign Java from the ground up before everyone completely loses faith in it and other Oracle products,” said Andrew Storms, director of security operations for nCircle.

What do you know about online security? Try our quiz and find out.

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago