New Zero-Day Vulnerability Found in Java 5, 6 and 7; 1.1 Billion Desktops Affected

Just when you thought it was safe to go back to using Java, security researchers have found another gaping hole that could impact potentially more than 1.1 billion desktops running the Oracle-owned platform.

Just when you thought it was safe to go back to using Java, security researchers have found another gaping hole that could impact potentially more than 1.1 billion desktops running the Oracle-owned platform.

A critical vulnerability in all of the latest versions of Java SE software was discovered that would allow an attacker full remote control of a computer landing on a malicious site. The exploit developed by Adam Gowdiak and his team at Polish security consultancy Security Explorations enabled them to escape the Java security sandbox in Java SE 7. Java 5 and 6 also contain the same vulnerability. Oracle says 1.1 billion desktops currently run Java, which is also a plug-in for all major browsers.

Gowdiak said the proof-of-concept exploit was successfully used against a fully patched Windows 7 machine using Firefox 15.0.1, Chrome 21, IE 9, Opera 12, and Safari 5.1.7.

Escaping the sandbox environment, where untrusted Java code is supposed to be run and executed before allowing it access to the host machine, could enable an attacker to remotely run malware, view, change or delete data with the user’s privileges. Gowdiak said in an email to Threatpost that an attacker could craft a phishing email enticing the user to visit a website hosting a malicious Java app which would drop malware on the compromised machine. He added that banner ads could be used to deliver malware to vulnerable systems.

Security Explorations sent Oracle a technical description of the vulnerability and the exploit code. Oracle has yet to reply whether it will issue an emergency patch, or wait for its October security update to fix the problem.

“Taking into account the nature of the bug, we advise to disable Java Plugin in the Web browser and wait for patches from Oracle,” Gowdiak said. “It has the biggest impact out of all bugs we found as part of our Java security research project. It affects Java versions 5, 6 and 7. So far, we were primarily able to break Java 7 only.”

Java has been under fire lately. Most recently, a critical vulnerability was found in Java 7 and exploits were discovered in the wild that would allow hackers to install malware remotely on compromised machines. Oracle patched that bug Aug. 30. Windows users aren’t the only ones exposed by this bug. Mac computers run Java 6 by default and a similar vulnerability was exploited by the Flashback Trojan.

The Java 7 zero day was used in numerous targeted attacks launched from a site hosted in China. The exploit installed the PoisonIvy remote access Trojan on compromised computers. This is the same RAT used in exploits against a memory-corruption vulnerability found in Internet Explorer shortly thereafter.

There are several versions of PoisonIvy in circulation, and they can log keystrokes, download and upload files to and from a command and control server, inject code into running processes and more. It was also used as part of the attack against RSA Security which compromised the ubiquitous SecurID authentication token.

Suggested articles

Broken IBM Java Patch Prompts Another Disclosure

Current versions of IBM SDK 7 and SDK 8 remain vulnerable to a 2013 Java vulnerability. Security Explorations discovered the original patch is broken and disclosed details on the flaw and a proof-of-concept exploit.

Broken 2013 Java Patch Leads to Sandbox Bypass

A patch for a critical 2013 Java vulnerability is incomplete, and exposes Java servers and clients to a sandbox bypass, researchers at Security Explorations of Poland said.

Discussion

  • Anonymous on

    I think it's a little more than ironic that all these flaws are found by security researchers then talked about publicly isntead of going directly to the company that has the problem and giving them a chance to fix it or war n their users themselves.

  • Anonymous on

    Let's tone down the hype-meter here folks. This is NOT a zero-day: there's no indication thatt his is under attack.

    What's going on is a researcher found a possible vulnerability and notified the vendor. Good for them for doing the right thing there.

    But this isn't news: this happens hundreds of times a day.

    Of course, this is brought to you by Kaspersky so why should we expect reasonable coverage and analysis? Maybe if Michael did some research and didn't just copy/paste the blast email the security company sent out this story would be informative rather than irritating hype.

  • Anonymous on

    This is not the only web site to run this story.  Look around...

  • Anonymous on

    Thanks Java. I am 14 hours today into trying to remove Trojan Alureon A and a few hours last night determining I had a virus.  NOT HAPPY HERE. 

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.