UPDATE–Oracle last week patched the two zero-day vulnerabilities in Java that attackers had been exploiting in targeted attacks, but it didn’t take long for researchers to poke more holes in the software. A new bug that allows a complete Java sandbox escape has been identified already, the latest in what has become a long line of flaws haunting the Java software running on hundreds of millions of machines.
Adam Gowdiak, a researcher at Security Explorations, a Polish firm that said it sent more than a dozen security vulnerabilities in Java to Oracle several months ago, said that upon downloading and inspecting the Java 7 update 7 file, he found that one of the changes made to the application as part of the update enabled another bug to become exploitable.
“One of the fixes incorporated in the released update also addressed the exploitation vector with the use of the sun.awt.SunToolkit class. Removing getField and getMethod methods from the implementation of the aforementioned class caused all of our full sandbox bypass Proof of Concept codes not to work any more (please note, that not all security issues that were reported in Apr 2012 got addressed by the recent Java update),” Gowdiak wrote in a post on BugTraq.
“Today we sent a security vulnerability report along with a Proof of Concept code to Oracle. The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012). The reason for it is a new security issue discovered, that made exploitation of some of our not yet addressed bugs possible to exploit again.”
In addition to the newly disclosed vulnerability in Java 7, the team at Security Explorations says that it sent a number of other bug reports to Oracle in April–including the initial report of the CVE-2012-4681 bug–some of which have not yet been addressed.
Gowdiak said via email that the vulnerability he found in Java 7 is an entirely new issue and not just a reemergence of an older bug.
“That’s a completely new vulnerability. It however makes our past, not yet addressed issues possible to exploit again in the environment of the recent Java 7 Update 7,” Gowdiak said.
He also said that the company has not received any indication from Oracle when this flaw might be addressed with a patch.
“We only received information from Oracle that it planned to address the remaining 25 issues by the means of Oct 2012 and Mar 2013 Java CPUs,” Gowdiak said, referring to the larger group of bugs that Security Explorations reported to Oracle earlier this year.