Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco, researchers from the Polish firm Security Explorations disclosed yet another critical Java vulnerability that might “spoil the taste of Larry Ellison's morning…Java.”
If you disabled Java when the last zero-day exploit was spotted in the wild, then you might consider doing so again . . . or dumping Java altogether? According to Security Explorations researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects “one billion users of Oracle Java SE software.”
Appalled to learn that Oracle/Java has another huge critical hole, I reached out to Adam Gowdiak in an email interview.
Interview with Security Explorations' CEO Adam Gowdiak:
I wanted to clarify that this is yet another new critical Java zero-day that places one billion users at risk (again)?
Gowdiak: That's right. This is a completely new issue (announced today). It has however bigger impact than any previous issue we found as part of our Java security research project as it affects Java 5, 6 and 7. Most of our previous findings were primarily affecting Java version 7.
Unlike the last critical security flaw that Oracle just patched on August 30, this critical Java bug affects all the newest versions of Java since the last patch?
Gowdiak: That's right.
If you have the Java plugin and use any of these browsers, Chrome, Firefox, Internet Explorer, Opera and Safari then you are vulnerable?
Gowdiak: Yes. We tested the latest web browsers with the latest Java SE software.
This is Security Explorations anniversary 50th Java bug discovery? (Issue 50 states: This proof-of-concept is a “complete Java security sandbox bypass.”)
Gowdiak: Yes. We found a total of 50 issues in various Java SE implementations:
- 31 issues reported to Oracle (17 differentcomplete sandbox bypass exploits)
- 2 Issues reported to Apple (1 complete sandbox bypass exploit)
- 17 issues reported to IBM (10 different complete sandbox bypass exploits).
You see the timeline of reporting them here: http://www.security-explorations.com/en/SE-2012-01-status.html
So what did Oracle reply to you?
Gowdiak: We haven't heard from them yet.
Softpedia stated, 'The researchers have confirmed that Java SE 5 – Update 22, Java SE 6 – Update 35, and Java SE 7 Update 7 running on fully patched Windows 7 32-bit operating systems are susceptible to the attack.' Does that imply that fully patched Window 7 64-bit systems are not vulnerable to the attack? Is it only Windows 7?
Gowdiak: No. It's gonna be Windows 7 32-bit and well as 64-bit. We simply did our test on Windows 7 32-bit. But, it does not matter because all operating systems supported by Oracle Java SE (such as Windows, Linux, Solaris, MacOS) are vulnerable as long as they have Java 5, 6 or 7 installed and enabled.
You disclosed that the bug allows attackers to violate a fundamental security constraint of a Java Virtual Machine (type safety). What could an attacker do by exploiting newest Java vulnerability?
Gowdiak: A malicious Java applet or application exploiting this new issue could run unrestricted in the context of a target Java process such as a web browser application. An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user.
What security advice do you have for the one billion Java users at risk?
Gowdiak: Taking into account the risk posed by the bug uncovered, it is the best to disable Java Plugin in the web browser and wait for the patches from Oracle. There are still 3 weeks till the scheduled Java Oct CPU [Critical Patch Update], so it might be possible that the bug will be addressed by the company on 16 Oct 2012.
To recap, this Java bug is even worse than the last critical Java vulnerability. It puts one billion users of Oracle’s Java SE, Java 5, 6 and 7, at risk. It could be exploited using these browsers: Chrome, Firefox, Internet Explorer, Opera and Safari. If you visit a maliciously crafted website, attackers could gain total control of your PC. Wow, thanks a lot Oracle.