Newest Java 7 Update Still Exploitable, Researcher Says

UPDATE–Oracle last week patched the two zero-day vulnerabilities in Java that attackers had been exploiting in targeted attacks, but it didn’t take long for researchers to poke more holes in the software. A new bug that allows a complete Java sandbox escape has been identified already, the latest in what has become a long line of flaws haunting the Java software running on hundreds of millions of machines.

UPDATE–Oracle last week patched the two zero-day vulnerabilities in Java that attackers had been exploiting in targeted attacks, but it didn’t take long for researchers to poke more holes in the software. A new bug that allows a complete Java sandbox escape has been identified already, the latest in what has become a long line of flaws haunting the Java software running on hundreds of millions of machines.

Adam Gowdiak, a researcher at Security Explorations, a Polish firm that said it sent more than a dozen security vulnerabilities in Java to Oracle several months ago, said that upon downloading and inspecting the Java 7 update 7 file, he found that one of the changes made to the application as part of the update enabled another bug to become exploitable.

“One of the fixes incorporated in the released update also addressed the exploitation vector with the use of the sun.awt.SunToolkit class. Removing getField and getMethod methods from the implementation of the aforementioned class caused all of our full sandbox bypass Proof of Concept codes not to work any more (please note, that not all security issues that were reported in Apr 2012 got addressed by the recent Java update),” Gowdiak wrote in a post on BugTraq.

“Today we sent a security vulnerability report along with a Proof of Concept code to Oracle. The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012). The reason for it is a new security issue discovered, that made exploitation of some of our not yet addressed bugs possible to exploit again.”

In addition to the newly disclosed vulnerability in Java 7, the team at Security Explorations says that it sent a number of other bug reports to Oracle in April–including the initial report of the CVE-2012-4681 bug–some of which have not yet been addressed. 

Gowdiak said via email that the vulnerability he found in Java 7 is an entirely new issue and not just a reemergence of an older bug.

“That’s a completely new vulnerability. It however makes our past, not yet addressed issues possible to exploit again in the environment of the recent Java 7 Update 7,” Gowdiak said.

He also said that the company has not received any indication from Oracle when this flaw might be addressed with a patch.

“We only received information from Oracle that it planned to address the remaining 25 issues by the means of Oct 2012 and Mar 2013 Java CPUs,” Gowdiak said, referring to the larger group of bugs that Security Explorations reported to Oracle earlier this year.

Suggested articles

Using Fuzzing to Mine for Zero-Days

Infosec Insider Derek Manky discusses how new technologies and economic models are facilitating fuzzing in today’s security landscape.

Discussion

  • Anonymous on

    In Windows is there any less damage from a Java exploit running in Firefox if the computer is logged on as a limited account (as opposed to administrator account)?

  • mimi on

    I have problems on 2 different PC's.  1st- I have just done an "UNINSTALL" of Java7(-updt5)

    in my Control-Panel-Programs; using VISTA Home 32-bit.  I tried 4 or 5 times; it will not go away!

    I have disabled it in firefox; and it's not on IE (my Mom uses IE); so at least it's disabled; but I'd rather just remove it.  Why is this happening?  Does anyone know HOW to get it off?  There is also another "Java FX 2?" -installed in "Programs"; I can't get it off, either.

    Meanwhile, I've been away this past weekend.  I  have a Dell laptop myself.  I was away this past weekend. When I turned on my Laptop, the desktop had changed (color); and ALL my files (data) were gone!.   I was poking around in Event-Viewer, and saw a ton of "Application Errors".  I did not even know about this until I got onto my Mom's PC.  I did a few things; trying to see what was wrong; I ran my AVG scan, and it didn't find 'any threats".  I did a re-start, after changing the color of my desktop, just to see if that would "take". Now, I get the new desktop, but NOTHING Else!   The laptop seems to be frozen. so, i turned it off.  How can I troubleshoot

    this ?   Does this new attack just wipe out the user's data files?  I was prompted to run some new service by AVG(to check for duplicate files; registry errors; and to defrag disk(s); since I bought their secuity software, I thought this was legit. 

    This laptop uses Windows XP, 64, Pro.  any ideas?

  • Anonymous on

    What is this tech support for the noobs?

     

  • Anonymous on

    Mimi,

    This is not the place to get help. Suggest you download and run MBAM free version from malwarebytes.org.

    If no luck, go to the forums at malwarebytes.org, create an account, start a new topic and ask for help.

    HTH.

  • Anonymous on

    Slacker

  • kenSefdrofe on

    I really like your forum here. So I decided to be a part of it :) And here I am saying HELLO EVERYBODY!! :D

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.