From
Dan Goodin [http://arstechnica.com]
Researchers said they've uncovered a flaw in the Java 7 update
released by Oracle on Thursday that allows attackers to take complete
control of end-user computers.
The flaw in Java 7 Update 7, which
Oracle released to stop in-the-wild attacks
that silently install malware on end-user machines, is the latest black
eye for the security of the widely used software framework. It comes
after revelations that Oracle
learned of the vulnerabilities under attack in April, four months before the exploits were detected. Oracle has yet to explain the delay in fixing the bugs.
The latest bug "facilitates full Java sandbox bypass on latest Java 7
Update 7," Adam Gowdiak, the CEO of Poland-based Security Explorations,
wrote in an e-mail to Ars. His team developed proof-of-concept code and
delivered it on Friday to Oracle engineers. The discovery of the new
critical bug was
reported earlier by IDG News. There are no reports that it is being exploited online.
 |
| Java "applets" run in a secure sandbox that prevents them from
interacting with sensitive operating-system functions unless authorized. |
"The total hunt took about 2-3 hours," Gowdiak wrote. "It was done yesterday in the evening. The discovery was made [as] a result of a manual analysis of Java code (its implementation)."
Gowdiak declined to discuss technical details out of concern that they may make it easier for criminals to exploit the flaw in e-mail- or Web-based attacks. He said the discovery came "while trying to fix the proof-of-concept codes that stopped working after applying the recent Java patch."
An Oracle spokeswoman responding to a request for comment referred Ars to
this advisory, which was published with Thursday's update. She and other representatives didn't respond to a follow-up e-mail informing her that the advisory was published before the most recent vulnerability was discovered.
This week's attack, and Oracle's lack of public response to them, has renewed calls by many—this reporter included—to remove Java from computers that don't use the cross-platform framework. Many programs that claim Java is required work fine, or almost as well, without the Oracle software, as
confirmed by at least two Ars readers on Thursday. Even when it's mandatory for programs such as Adobe Photoshop, as
one Mac-using Ars reader reported, users may want to remove Java plugins from their browsers if the websites they regularly visit don't require it. The removal advice has proved controversial to some, so Ars readers are encouraged to decide for themselves. (Oracle's official Twitter account for Java has also
disagreed with the advice.)
Two of some 19 bugs that Gowdiak's firm reported in April were among those combined in the latest proof-of-concept attack to completely bypass the security sandbox Java relies on to ensure untrusted code can't access sensitive operating-system functions. Some of the remaining holes still haven't been plugged, and when linked to the latest discovered flaw, attackers could once again have the ability to escape the safety perimeter.
Said Gowdiak: "When combined with some of the April 2012 issues, the new
issue allows [one] to achieve a complete [Java virtual machine] sandbox
bypass in the environment of latest Java SE 7 Update 7 (version that
was released on August 30, 2012)."
Source: http://arstechnica.com/security/2012/08/critical-bug-discovered-in-newest-java/
