Latest Java Update Broken; Two New Sandbox Bypass Flaws Found

Expect the roar from security experts urging users to abandon Java to reach ear-splitting levels after reports this morning that new sandbox bypass vulnerabilities are present in the latest Java update.

Expect the roar from security experts urging users to abandon Java to reach ear-splitting levels after reports this morning that new sandbox bypass vulnerabilities are present in the latest Java update.

“We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11,” Java security researcher Adam Gowdiak of Security Explorations in Poland wrote a short while ago on the Full Disclosure mailing list.

Gowdiak said his organization reported two new flaws to Oracle today, along with working proof-of-concept code, a single exploit that relies on two vulnerabilities. He told Threatpost he would not share any details on the vulnerabilities, but said Oracle did confirm it had received the information he sent and had begun looking into the problem.

Reports surfaced earlier this week that the Java 7u11 update was incomplete, and that a vulnerability in the Java MBeanInstantiator had not been patched as promised by Oracle when it released the update last Sunday night. Researcher Esteban Guillardoy of Immunity Inc., said that attackers could pair that vulnerability with the reflection API with recursion in order to bypass Java security checks. The reflection issue was corrected in 7u11; Guillardoy said attackers with enough working knowledge of Java could pair another vulnerability with the MBeanInstantiator bug and have a working exploit.

Gowdiak said the lack of a fix for the flaw inspired him to look for new issues.

“Leaving MBeanInstantiator issue unfixed was like an invitation to hack Java again. All that was required was to find another bug that could be combined with it,” Gowdiak said. “We have however decided not to rely on that unfixed bug and decided to find two completely new ones instead.”

Metasploit creator HD Moore told Threatpost that the privilege escalation bug in the MBeanInstantiator exposes two Java classes which in turn expose the class loader, a similar tactic used in many recent Java exploits.

“A lot of the recent Java exploits use a technique similar to this one where they find a class that’s already loaded in memory that accesses an object outside the sandbox, and then they use that object to load arbitrary code,” Moore said. “It’s about as bad as you can get in terms of a reliable Java exploit that affects the latest version of Java 1.7.”

This whole mess started Jan. 9 when reports surfaced from researchers that new Java exploits were present in all the major exploit kits, including Blackhole, Cool and Redkit.

Oracle responded on Monday with an out-of-band update that it said included patches for the two vulnerabilities as well as a change to the default security configuration in Java. Oracle changed it from medium to high, meaning that unsigned Java applets, or self-signed applets, would prompt the user before executing. Experts said this was a good first step, but would not deter social engineering attacks that could trick a user into allowing an applet to execute, or an attacker from using a stolen, valid certificate to run a malicious applet automatically.

Since then, calls to disable or abandon Java have gotten louder. Experts argue that few websites require the Java browser plug-in at the core of so many security issues, and that users would hardly lose any functionality online without running Java.

With attacks being folded into exploit kits at an alarming rate, Java security is becoming top of mind for security professionals because of Java’s ubiquity on all computing platforms, and that reliable exploits are economical for attackers who won’t have to recode them for each respective platform.

Suggested articles

Broken IBM Java Patch Prompts Another Disclosure

Current versions of IBM SDK 7 and SDK 8 remain vulnerable to a 2013 Java vulnerability. Security Explorations discovered the original patch is broken and disclosed details on the flaw and a proof-of-concept exploit.

Broken 2013 Java Patch Leads to Sandbox Bypass

A patch for a critical 2013 Java vulnerability is incomplete, and exposes Java servers and clients to a sandbox bypass, researchers at Security Explorations of Poland said.


  • Anonymous on

    Wow. I never thought I would say this, but, Oracle is making Adobe look good. It's about time Larry threw in the towel and hire some of the researchers who seem to be more capable than his in-house staff. We can only hope he is running a Java based GPS app on his yacht I guess.

  • Anonymous on

    So frustrating for admins! 

  • Anonymous on

    One thing to remember: because of the change in default security settings (and unless you've reduced the default value), you have to explicitly allow the code to run in order for any of these attacks to succeed. So yes, there's still a vulnerability that needs to be fixed, but the real risk is very much reduced.

    The reality is that all applets should be signed. The days of running untrusted code without being able to prove who the author is should be over.

  • Anonymous on

    Relying on users to 'do the right thing' by NOT clicking on a pop up is simply not going to stop anything. How many users click 'ok' without ever reading the content of the alert? In my experience, a LOT of people. They won't even see what the warning message says.
  • Pendebede Fox on

    I'm not sure how code signing would help very much - most people just ignore the warnings by default, or lower security settings to allow them to get at what they think they want.

  • Pendebede Fox on

    Ironically, it's Microsoft who has done more than anyone to completely habituate people to hitting the OK button on whatever popup they see. As of Windows Vista that is - it's completely laughable: if you observe most people installing anything, they just plough through a barrage of utterly geeky dialogues coming up warning about how something wants to access something, usually without any further explation. My favourite Microsoft "security" dialogue is from Outlook 2007: if it can't log in it throws up a totally anonymous dialogue asking for your username and password. No indication of any kind is on that dialogue as to what program it's associated with.

    How anyone of sound mind can expect the general public to even begin to navigate security issues in the current consumer computing environment is beyond me. I mean, where the rubbery F are the DESIGNERS??

  • Anonymous on

    Oracle is pissing away billions in goodwill they bought with the Sun brand.  Larry never cared much about "free" SW and it shows.  I hate to say it, but Apple and Google both see a Java-free world and Oracle seems unwilling or unable to stop them.

  • Anonymous on

    Oracle is pissing away billions in goodwill they bought with the Sun brand.  Larry never cared much about "free" SW and it shows.  I hate to say it, but Apple and Google both see a Java-free world and Oracle seems unwilling or unable to stop them.

  • Oracle did what? on

       Yeah i was one of those submitting free code when it was open source, but it was always reviewed by others to make sure no one snuck in a back door. Nothing was ever perfect but all tried. Close associate mentioned to me in last 3 days that the holes were patched 2 updates ago, but fantastic code was deleted, and replaced by code from outta the blue. Does Oracle want to destroy java? That question keeps being repeated!

    If done for greed, and this is found out- this could become a landmark case. Many health insurance companies stopped supplying data using java online to hospitals and health care professionals, with flu outbreak , there is no doubt deaths have happened. on the other hand those international health care groups that continued to use java have risked all of their health care data and private patient information. Either way this could bring Oracle down for good. There are many other sites that are encouraging their users to keep using java, mainly because their sites don't run without it. Killing for money, there's a term for that...







    NO BANK!





  • Anonymous on

    Where that unbreakable code they were talking about.

  • Anonymous on

    To ALL code writers: Write new programs to  replace all these has-beens work . They do not care as they have F__k you money and don't care about our safety. Start your own company with NO VENTURE captital, NONE!!! Thank you...

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.