Another critical Java flaw spotted just after patch release

Just after an emergency security patch was issued for Java, another serious flaw was found that would make it vulnerable again to attacks.

 

A report on PC World cited data from Poland-based security firm Security Explorations that the flaw allows attackers to escape the Java sandbox and execute arbitrary code.

 

“Once we found that our complete Java sandbox bypass codes stopped working after the update was applied, we looked again at POC codes and started to think about the possible ways of how to fully break the latest Java update again ... A new idea came, it was verified and it turned out that this was it,” it quoted Security Explorations' founder and CEO Adam Gowdiak as saying.

 

PC World said Security Explorations sent a report about the vulnerability to Oracle, along with a proof-of-concept (POC) exploit.

 

But Gowdiak said the company will not release technical details about the vulnerability until Oracle addresses it.

 

"It’s not clear if Oracle will release a new Java security update in October as it previously planned. Oracle declined to comment," PC World said.

 

Last week, Oracle released an out-of-cycle - or outside its regular schedule - to release Java 7 Update 7, an emergency security update to patch three flaws.

 

Two of the vulnerabilities were already being exploited at the time the patch came out, PC World said.

 

Oracle's update also fixed a “security-in-depth issue” that could be used to aggravate the impact of other vulnerabilities.

 

29 vulnerabilities reported

 

PC World quoted Gowdiak as saying Security Explorations privately reported 29 vulnerabilities in Java 7 to Oracle last April.

 

These 29 included the two being exploited by attackers now.

 

Java 6 has better security

 

PC World said the experience of Security Explorations researchers suggested Java 6 has better security than Java 7.

 

“Java 7 was surprisingly much easier for us to break. For Java 6, we didn’t manage to achieve a full sandbox compromise, except for the issue discovered in Apple Quicktime for Java software,” Gowdiak said.

 

He suggested that users who do not need Java on their systems should uninstall it. — TJD, GMA News