Researcher digs up another zero-day Java bug
Present in Java 5. 6 and 7, leaves Windows PCs and Macs open to attack
Computerworld - A security researcher known for finding Java bugs has uncovered a new critical zero-day vulnerability in all currently-supported versions of the popular Oracle software.
The bug, which was publicly reported on the Full Disclosure security mailing list Tuesday by Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations, can be leveraged to hijack a machine equipped with Java, letting attackers install malware on the system.
Windows PCs and Macs are equally at risk if their users have installed Java, or in the case of OS X, are running 10.6, aka Snow Leopard, or earlier. Snow Leopard was the last edition where Apple bundled Java with the operating system.
All currently-support versions of Java, including Java 5, Java 6 and Java 7, contain the bug.
Gowdiak has found other Java vulnerabilities in the past: Earlier this year he reported more than a dozen to Oracle. Months later, hackers independently uncovered one of the bugs, then began using it in widespread attacks during August.
On Aug. 30 Oracle shipped one of its rare emergency, or "out-of-band," security updates to patch the exploited Java bug.
The vulnerability Gowdiak revealed Tuesday was both potentially more serious than the already-exploited flaw and less of a risk to users at the moment.
"The potential impact is bigger when it comes to the number of Java desktops," said Gowdiak in an email reply to questions. "The vulnerability affects up-to-date installs of Java 5, 6 and 7. We even tested the developer preview of Java 7 Update 10, a build from Sept. 20, 2012, [and] verified it was also vulnerable."
The Java zero-days exploited by cyber criminals last month were in Java 7 only -- the newest edition -- and because of that, Gowdiak and other experts recommended users downgrade to Java 6, which was safe.
Not the case now, as all editions of Java harbor the flaw.
Gowdiak, using installed-base statistics cited by Oracle, argued that approximately 1 billion computer users are at risk because of the unpatched vulnerability.
On the other hand, there is much less urgency with this vulnerability than the one exploited last month for the simply fact that there's no evidence it's in the hands of hackers. "We are not aware of any active attacks that would exploit this vulnerability," Gowdiak said.
While Gowdiak said that he found the new Java bug last week -- and took the weekend to create and test a proof-of-concept exploit -- he only reported it to Oracle on Tuesday. In a follow-up email to Computerworld, Gowdiak said, "We just received confirmation of the issue from Oracle."
The company also told him that the bug will be patched in a future Java security update, but that it did not name which. The next on Oracle's quarterly schedule will ship Oct. 16.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts