Just when you thought it was safe to go back to using Java, security researchers have found another gaping hole that could impact potentially more than 1.1 billion desktops running the Oracle-owned platform.

A critical vulnerability in all of the latest versions of Java SE software was discovered that would allow an attacker full remote control of a computer landing on a malicious site. The exploit developed by Adam Gowdiak and his team at Polish security consultancy Security Explorations enabled them to escape the Java security sandbox in Java SE 7. Java 5 and 6 also contain the same vulnerability. Oracle says 1.1 billion desktops currently run Java, which is also a plug-in for all major browsers.

Gowdiak said the proof-of-concept exploit was successfully used against a fully patched Windows 7 machine using Firefox 15.0.1, Chrome 21, IE 9, Opera 12, and Safari 5.1.7.

Escaping the sandbox environment, where untrusted Java code is supposed to be run and executed before allowing it access to the host machine, could enable an attacker to remotely run malware, view, change or delete data with the user’s privileges. Gowdiak said in an email to Threatpost that an attacker could craft a phishing email enticing the user to visit a website hosting a malicious Java app which would drop malware on the compromised machine. He added that banner ads could be used to deliver malware to vulnerable systems.

Security Explorations sent Oracle a technical description of the vulnerability and the exploit code. Oracle has yet to reply whether it will issue an emergency patch, or wait for its October security update to fix the problem.

“Taking into account the nature of the bug, we advise to disable Java Plugin in the Web browser and wait for patches from Oracle,” Gowdiak said. “It has the biggest impact out of all bugs we found as part of our Java security research project. It affects Java versions 5, 6 and 7. So far, we were primarily able to break Java 7 only.”

Java has been under fire lately. Most recently, a critical vulnerability was found in Java 7 and exploits were discovered in the wild that would allow hackers to install malware remotely on compromised machines. Oracle patched that bug Aug. 30. Windows users aren’t the only ones exposed by this bug. Mac computers run Java 6 by default and a similar vulnerability was exploited by the Flashback Trojan.

The Java 7 zero day was used in numerous targeted attacks launched from a site hosted in China. The exploit installed the PoisonIvy remote access Trojan on compromised computers. This is the same RAT used in exploits against a memory-corruption vulnerability found in Internet Explorer shortly thereafter.

There are several versions of PoisonIvy in circulation, and they can log keystrokes, download and upload files to and from a command and control server, inject code into running processes and more. It was also used as part of the attack against RSA Security which compromised the ubiquitous SecurID authentication token.

Categories: Malware, Vulnerabilities

Comments (4)

  1. Anonymous
    1

    I think it’s a little more than ironic that all these flaws are found by security researchers then talked about publicly isntead of going directly to the company that has the problem and giving them a chance to fix it or war n their users themselves.

  2. Anonymous
    2

    Let’s tone down the hype-meter here folks. This is NOT a zero-day: there’s no indication thatt his is under attack.

    What’s going on is a researcher found a possible vulnerability and notified the vendor. Good for them for doing the right thing there.

    But this isn’t news: this happens hundreds of times a day.

    Of course, this is brought to you by Kaspersky so why should we expect reasonable coverage and analysis? Maybe if Michael did some research and didn’t just copy/paste the blast email the security company sent out this story would be informative rather than irritating hype.

  3. Anonymous
    4

    Thanks Java. I am 14 hours today into trying to remove Trojan Alureon A and a few hours last night determining I had a virus.  NOT HAPPY HERE. 

Comments are closed.