Another Java security flaw found

Oh no, not again: Barely a week after Oracle rolled out its latest security update for Java, a researcher has found yet another security hole in the software.

 

Researcher Adam Gowdiak said the new flaw can affect all versions of Java SE 7, including the recently released 1.7.0_21-b11.

 

“It can be used to achieve a complete Java security sandbox bypass on a target system. Successful exploitation in a web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed),” he said in a blog post.

 

Gowdiak also noted he sent his first vulnerability report to Oracle, warning of multiple security problems in Java SE 7, particularly the Reflection API, in April 2012.

 

Yet after one year, he said he could see “one of the simplest and most powerful instances of Java Reflection API based vulnerabilities.”

 

A separate report by security vendor Sophos said that while users can still be warned with a security dialog, this can potentially be overcome by social engineering.

 

“(I)t’s easy to imagine how simple social engineering would trick many users into granting permission for the malicious code to execute,” it said.

 

Sophos reiterated its advice to computer users to turn off Java if they do not need it in their browser. “If you don’t need Java, why put yourself at risk?” it said. — TJD, GMA News