New bug makes moot Java's latest anti-exploit defenses, claims researcher

Vulnerability allows attackers to bypass the plug-in's new protection against silent exploits

By , Computerworld |  Security

Java's new security settings, designed to block "drive-by" browser attacks, can be bypassed by hackers, a researcher announced Sunday.

The news came in the aftermath of several embarrassing "zero-day" vulnerabilities, and a recent commitment by the head of Java security that his team would fix bugs in the software.

The Java security provisions that can be circumvented were introduced last December with Java 7 Update 10, and let users decide which Java applets are allowed to run within their browsers. The most stringent of the four settings is supposed to block any applet not signed with a valid digital certificate. Other settings freely allow most unsigned applets, execute unsigned applets only if Java itself is up to date, or display a warning before unsigned applets are allowed to run.

But according to Adam Gowdiak, CEO of Security Explorations, none of the settings can stymie an attacker.

"What we found ... is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings," Gowdiak wrote in a message posted Sunday to the Bugtraq mailing list.

In an email reply to questions Sunday, Gowdiak said there was a single vulnerability that makes the bypass possible. "It could be used to successfully launch unsigned Java code on a target system regardless of the security level set by the user in Java Control Panel. [The] 'High' or 'Very High' security [setting] does not matter here, the code will still run," he said.

After discovering the vulnerability and creating a proof-of-concept exploit that worked on Java 7 Update 11 -- the version released two weeks ago -- running on Windows 7, Gowdiak reported the bug to Oracle.

His discovery makes moot -- in theory at least -- Oracle's latest security change. When it shipped an emergency update on Jan. 13 to quash two critical Java browser plug-in vulnerabilities, including one that was actively being exploited by cyber criminals, Oracle also automatically reset Java to the "High" security level. At that setting, Java notifies users before they can run unsigned applets.

Originally published on Computerworld |  Click here to read the original story.
Join us:






Ask a Question