Expect the roar from security experts urging users to abandon Java to reach ear-splitting levels after reports this morning that new sandbox bypass vulnerabilities are present in the latest Java update.

“We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11,” Java security researcher Adam Gowdiak of Security Explorations in Poland wrote a short while ago on the Full Disclosure mailing list.

Gowdiak said his organization reported two new flaws to Oracle today, along with working proof-of-concept code, a single exploit that relies on two vulnerabilities. He told Threatpost he would not share any details on the vulnerabilities, but said Oracle did confirm it had received the information he sent and had begun looking into the problem.

Reports surfaced earlier this week that the Java 7u11 update was incomplete, and that a vulnerability in the Java MBeanInstantiator had not been patched as promised by Oracle when it released the update last Sunday night. Researcher Esteban Guillardoy of Immunity Inc., said that attackers could pair that vulnerability with the reflection API with recursion in order to bypass Java security checks. The reflection issue was corrected in 7u11; Guillardoy said attackers with enough working knowledge of Java could pair another vulnerability with the MBeanInstantiator bug and have a working exploit.

Gowdiak said the lack of a fix for the flaw inspired him to look for new issues.

“Leaving MBeanInstantiator issue unfixed was like an invitation to hack Java again. All that was required was to find another bug that could be combined with it,” Gowdiak said. “We have however decided not to rely on that unfixed bug and decided to find two completely new ones instead.”

Metasploit creator HD Moore told Threatpost that the privilege escalation bug in the MBeanInstantiator exposes two Java classes which in turn expose the class loader, a similar tactic used in many recent Java exploits.

“A lot of the recent Java exploits use a technique similar to this one where they find a class that’s already loaded in memory that accesses an object outside the sandbox, and then they use that object to load arbitrary code,” Moore said. “It’s about as bad as you can get in terms of a reliable Java exploit that affects the latest version of Java 1.7.”

This whole mess started Jan. 9 when reports surfaced from researchers that new Java exploits were present in all the major exploit kits, including Blackhole, Cool and Redkit.

Oracle responded on Monday with an out-of-band update that it said included patches for the two vulnerabilities as well as a change to the default security configuration in Java. Oracle changed it from medium to high, meaning that unsigned Java applets, or self-signed applets, would prompt the user before executing. Experts said this was a good first step, but would not deter social engineering attacks that could trick a user into allowing an applet to execute, or an attacker from using a stolen, valid certificate to run a malicious applet automatically.

Since then, calls to disable or abandon Java have gotten louder. Experts argue that few websites require the Java browser plug-in at the core of so many security issues, and that users would hardly lose any functionality online without running Java.

With attacks being folded into exploit kits at an alarming rate, Java security is becoming top of mind for security professionals because of Java’s ubiquity on all computing platforms, and that reliable exploits are economical for attackers who won’t have to recode them for each respective platform.

Categories: Hacks, Vulnerabilities

Comments (19)

  1. Anonymous

    Wow. I never thought I would say this, but, Oracle is making Adobe look good. It’s about time Larry threw in the towel and hire some of the researchers who seem to be more capable than his in-house staff. We can only hope he is running a Java based GPS app on his yacht I guess.

  2. Anonymous

    One thing to remember: because of the change in default security settings (and unless you’ve reduced the default value), you have to explicitly allow the code to run in order for any of these attacks to succeed. So yes, there’s still a vulnerability that needs to be fixed, but the real risk is very much reduced.

    The reality is that all applets should be signed. The days of running untrusted code without being able to prove who the author is should be over.

  3. Anonymous

    Relying on users to ‘do the right thing’ by NOT clicking on a pop up is simply not going to stop anything. How many users click ‘ok’ without ever reading the content of the alert? In my experience, a LOT of people. They won’t even see what the warning message says.

  4. Pendebede Fox

    I’m not sure how code signing would help very much – most people just ignore the warnings by default, or lower security settings to allow them to get at what they think they want.

  5. Pendebede Fox

    Ironically, it’s Microsoft who has done more than anyone to completely habituate people to hitting the OK button on whatever popup they see. As of Windows Vista that is – it’s completely laughable: if you observe most people installing anything, they just plough through a barrage of utterly geeky dialogues coming up warning about how something wants to access something, usually without any further explation. My favourite Microsoft “security” dialogue is from Outlook 2007: if it can’t log in it throws up a totally anonymous dialogue asking for your username and password. No indication of any kind is on that dialogue as to what program it’s associated with.

    How anyone of sound mind can expect the general public to even begin to navigate security issues in the current consumer computing environment is beyond me. I mean, where the rubbery F are the DESIGNERS??

  6. Anonymous

    Oracle is pissing away billions in goodwill they bought with the Sun brand.  Larry never cared much about “free” SW and it shows.  I hate to say it, but Apple and Google both see a Java-free world and Oracle seems unwilling or unable to stop them.

  7. Anonymous

    Oracle is pissing away billions in goodwill they bought with the Sun brand.  Larry never cared much about “free” SW and it shows.  I hate to say it, but Apple and Google both see a Java-free world and Oracle seems unwilling or unable to stop them.

  8. Oracle did what?

       Yeah i was one of those submitting free code when it was open source, but it was always reviewed by others to make sure no one snuck in a back door. Nothing was ever perfect but all tried. Close associate mentioned to me in last 3 days that the holes were patched 2 updates ago, but fantastic code was deleted, and replaced by code from outta the blue. Does Oracle want to destroy java? That question keeps being repeated!

    If done for greed, and this is found out- this could become a landmark case. Many health insurance companies stopped supplying data using java online to hospitals and health care professionals, with flu outbreak , there is no doubt deaths have happened. on the other hand those international health care groups that continued to use java have risked all of their health care data and private patient information. Either way this could bring Oracle down for good. There are many other sites that are encouraging their users to keep using java, mainly because their sites don’t run without it. Killing for money, there’s a term for that…







    NO BANK!





  10. Anonymous

    To ALL code writers: Write new programs to  replace all these has-beens work . They do not care as they have F__k you money and don’t care about our safety. Start your own company with NO VENTURE captital, NONE!!! Thank you…

  11. Ivan

    Your level of intellgence is such a blessing to see. As usual another egnoramous shows the ugly truth that the world is riddled with the inability to use the english language. I think that this site or any other site should not allow the rantings of this kind to become public. There are to many children out there who have better skills to read these messages than I do. Shame on the site to even allow the filth this person used to be put online for anyone. And as you can see I am not ashamed to tell it like it is.


  12. Anonymous

       We are heading off topic Ivan, but thought to mention a minor philosophy point. Agree that the terminology used is somewhat low, but after review, I note a point was made by that dissertation from deep within the feelings of an individual that uses such a manner to communicate. Many years ago I worked with problem children having very low IQs. Some could not even speak, but as time went by I learned that I could glean something from each and every one if I observed closely. This may sound terribly Zen, but if we can learn something from a mouse in a maze, how much more can we learn from a human with a rant?

  13. Anonymous

    The referenced post aside (which I suspect comes from a native speaker and would be appalling no matter what the posters native language is), it is rather cheeky to complain that “the world is riddled with the inability to speak the english language”.  Last time I checked, English is the official language of only a handful of countries. For a good many people in tech forums, English is a second language and I think expecting perfection is a little much.

  14. MysteryScience

       Computer Diversity Systems Protection

       There is a way for non-code writers to do something similar as to what you mention. It’s very simple, but does require some knowledge about systems. Also it eliminates use of updates, so while it will work for most computer systems, it is most effective for systems that are going out of support, ie: XP, ME, 98, & 95. It will also work on linux, but that requires better understanding of using command functions.

        This uses diversity by allowing each user to make their computer different than any other computer on Earth. The point being that with such diversity, no automated script will recognize or be able to function in an attack because the system will not be recognized.

       This easy fix is just renaming  vital systems. CCleaner helps with this as it will help you rename program names in registry. Again remember that changing names will make updating impossible for some programs. For now, I would suggest NOT renaming antivirus or anti-malware  , because these need definition updates for security.

       While this is easy, it becomes complicated as ALL shortcuts that link back to a renamed program need to be changed. All shortcuts on desktop need to be recreated to the (dot)exe that activates the program using the new address (name) that you have chosen to rename in your “programs” directory. To simplify this; after renaming the program in your program files, right click on the exe file (application) and select “create shortcut”, it will then tell you it can’t create the shortcut there and ask you if you want the shortcut on the desktop. Select that. After the shortcut is on your desktop, you can copy it and use it any place there needs to be a shortcut.

    Here is an example;

    I have chosen an old program that is rarely used and does not depend on other systems, so this just shows a simple program name change.

    The name of the program was “WordWeb”,  the original shortcut was;

    “C:Program FilesWordWebwweb32.exe”

    I went into Programs and changed the program name to; “WhatWord” then went into the program and right clicked on “wweb32” and as above created a shortcut to that application, the computer automatically knew the new address and so the new shortcut created was;

    “C:Program FilesWhatWordwweb32.exe”

    The point here is that if any virus or malware seeks “WordWeb” in the programs list, it will fail to find it because that address is gone. Unlikely that it will be a target, am just using this as an simple example. Larger, more complicated programs, with several dependencies take more work, as any program that needs to use another program to function will need internal shortcuts to specific places within the other program.

    To rename other programs, especially system programs, you need to first check > Administrative Tools>Services, then search for the program you want to rename. If found, right click on it and a new small popup window will show, in tabs at the top of this window you will find the tab “Dependencies” click on that and see if there are dependencies. If there are other programs listed as dependencies , it would be wise for the novice to NOT rename that program as usually that requires knowledge of rewriting code, if you know code then do what you want. Anyone finding any program having NO  Dependencies, is usually able to change the program name, even a novice.

    If you change program names, do not tell anyone the names of the altered programs. Each person has a different degree of ability with computers, but if each person changes program names, at the very least, it will start to cause automated attacks to fail more and more, until hacking via the net will be more trouble than it is worth.Experienced program writers will even be able to change the full operating system name, such as going from the name “Windows” to “Linux”, which of course is complicated but will stop automated attacks, and even confuse humans engaged in an attack.

    This leads to changing a few names mainly to confuse and stall actual humans attacking a computer. Renaming your Hard Drive(s) etc is a partial answer, the letter of the Drive will remain the same, but by changing the name of a Hard Drive to something like “Compact Disk Player” is easy and confusing to humans. Use a long name so the drive letter will be invisible at the end of the name in most views used by hackers.Renaming a hard drive is easy, just go to computer, left click on your hard drive(s) and select “rename”. The name you choose should be close enough to an actual device, such as above, but of course despite the name it will remain a hard drive.

    In maintenance, delete all the programs you do not use, every program is a possible vulnerability. Do not leave your computer hooked up to the internet when you are not using it on the net. Turn off power to your modem when not used, I actually have a switch on power line and line in from net.  You are the best defense for your computer, watch for oddities.

    There are many other similar ways to change your computer’s appearance to malware & humans, so all above are only suggestions, it is best to be creative and add tricks of your own imagining , imagine half a billion computers with different appearing operating systems! Diversity could be built into computers by manufacturers , maybe they will get a clue! Computers cost enough, they should be safe to use.

  15. Anonymous

    Wow! This seems like an utterly brilliant solution! I can’t conceive of any possible way this could be impractical or how an attacker might be able to circumvent such measures.

    I must say I do feel sorry for all the security reseachers who will be out of a job soon, since your amazing idea should quickly render them redundant.

Comments are closed.