Expect the roar from security experts urging users to abandon Java to reach ear-splitting levels after reports this morning that new sandbox bypass vulnerabilities are present in the latest Java update.
“We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11,” Java security researcher Adam Gowdiak of Security Explorations in Poland wrote a short while ago on the Full Disclosure mailing list.
Gowdiak said his organization reported two new flaws to Oracle today, along with working proof-of-concept code, a single exploit that relies on two vulnerabilities. He told Threatpost he would not share any details on the vulnerabilities, but said Oracle did confirm it had received the information he sent and had begun looking into the problem.
Reports surfaced earlier this week that the Java 7u11 update was incomplete, and that a vulnerability in the Java MBeanInstantiator had not been patched as promised by Oracle when it released the update last Sunday night. Researcher Esteban Guillardoy of Immunity Inc., said that attackers could pair that vulnerability with the reflection API with recursion in order to bypass Java security checks. The reflection issue was corrected in 7u11; Guillardoy said attackers with enough working knowledge of Java could pair another vulnerability with the MBeanInstantiator bug and have a working exploit.
Gowdiak said the lack of a fix for the flaw inspired him to look for new issues.
“Leaving MBeanInstantiator issue unfixed was like an invitation to hack Java again. All that was required was to find another bug that could be combined with it,” Gowdiak said. “We have however decided not to rely on that unfixed bug and decided to find two completely new ones instead.”
Metasploit creator HD Moore told Threatpost that the privilege escalation bug in the MBeanInstantiator exposes two Java classes which in turn expose the class loader, a similar tactic used in many recent Java exploits.
“A lot of the recent Java exploits use a technique similar to this one where they find a class that’s already loaded in memory that accesses an object outside the sandbox, and then they use that object to load arbitrary code,” Moore said. “It’s about as bad as you can get in terms of a reliable Java exploit that affects the latest version of Java 1.7.”
This whole mess started Jan. 9 when reports surfaced from researchers that new Java exploits were present in all the major exploit kits, including Blackhole, Cool and Redkit.
Oracle responded on Monday with an out-of-band update that it said included patches for the two vulnerabilities as well as a change to the default security configuration in Java. Oracle changed it from medium to high, meaning that unsigned Java applets, or self-signed applets, would prompt the user before executing. Experts said this was a good first step, but would not deter social engineering attacks that could trick a user into allowing an applet to execute, or an attacker from using a stolen, valid certificate to run a malicious applet automatically.
Since then, calls to disable or abandon Java have gotten louder. Experts argue that few websites require the Java browser plug-in at the core of so many security issues, and that users would hardly lose any functionality online without running Java.
With attacks being folded into exploit kits at an alarming rate, Java security is becoming top of mind for security professionals because of Java’s ubiquity on all computing platforms, and that reliable exploits are economical for attackers who won’t have to recode them for each respective platform.