Researchers find critical vulnerability in Java 7 patch hours after release

The new vulnerability allows a complete Java Virtual Machine sandbox escape in Java 7 Update 7, researchers from Security Explorations say

By Lucian Constantin, IDG News Service |  Security

"Once we found that our complete Java sandbox bypass codes stopped working after the update was applied, we looked again at POC codes and started to think about the possible ways of how to fully break the latest Java update again," Gowdiak said. "A new idea came, it was verified and it turned out that this was it."

Gowdiak doesn't know when Oracle plans to address the remaining vulnerabilities reported by Security Explorations in April or the new one submitted by the security company on Friday.

It's not clear if Oracle will release a new Java security update in October as it previously planned. The company did not immediately return a request for comment.

Security researchers have always warned that if vendors take too much time to address a reported vulnerability it might be discovered by the bad guys in the meantime, if they don't already know about it.

It happened on multiple occasions for different bug hunters to discover the same vulnerability in the same product independently and this is what might have also happened in the case of the two actively exploited Java vulnerabilities that were addressed by Java 7 Update 7.

"Independent discoveries can never be excluded," Gowdiak said. "This specific issue [the new vulnerability] might be however a little bit more difficult to find."

Based on the experience of Security Explorations researchers with hunting for Java vulnerabilities so far, Java 6 has better security than Java 7. "Java 7 was surprisingly much easier for us to break," Gowdiak said. "For Java 6, we didn't manage to achieve a full sandbox compromise, except for the issue discovered in Apple Quicktime for Java software."

Gowdiak has echoed what many security researchers have said before: If you don't need Java, uninstall it from your system.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness