The seemingly endless list of critical zero day bugs found in Java grew longer today with news that one of the flaws fixed in Oracle’s recent patches for the product is under attack and when that bug is paired with another, separate vulnerability, the sandbox in the latest build of Java can be bypassed.
Polish security firm Security Explorations sent details regarding the two vulnerabilities, “issue 54” and “issue 55,” including proof of concept code, to Oracle for review today. Oracle confirmed it has received the information, according to an update to Security Explorations’s bug reporting status page but has not confirmed the flaws.
Very little of the attack was officially disclosed by the company but CEO Adam Gowdiak did acknowledge that the vulnerability only affects Java’s SE 7 software – which saw Update 15 released last Tuesday – and according to reports, stems from a problem with Java Reflection API.
Gowdiak and his team at Security Explorations have proved adept at finding holes in the much maligned Java over the past year or so. The company previously developed a sandbox escape for versions 5, 6, and 7 of the software last fall before advocating for the removal of the framework.
The latest Java vulnerability is apparently unrelated to a separate vulnerability Gowdiak found last fall that Oracle claimed it would wait until February to fix that could’ve given an attacker free reign over a user’s computer by using a malicious Java applet.
It’s possible though that the flaw could be related to a similar Java security sandbox bypass technique that was unearthed by Gowdiak in January after Java pushed Update 11 of the product. According to Softpedia, Gowdiak claimed he tested the flaw in the first release of Java 7, along with Updates 11 and 15. In January, Esteban Guillardoy of Immunity Inc., said “attackers could pair that vulnerability with the reflection API with recursion in order to bypass Java security checks.”
Apple, Facebook, Microsoft and other high profile companies made headlines last week after acknowledging that a Java vulnerability left the companies open to attack via iPhoneDevSDK, a forum that was hosting malware that was being spread by malicious JavaScript.