Researchers find critical vulnerabilities in Java 7 Update 11
The latest Java update is also vulnerable to sandbox bypass exploits, researchers from Security Explorations say
IDG News Service - Researchers from Security Explorations, a Poland-based vulnerability research firm, claim to have found two new vulnerabilities in Java 7 Update 11 that can be exploited to bypass the software's security sandbox and execute arbitrary code on computers.
Security Explorations successfully confirmed that a complete Java security sandbox bypass can be still be achieved under Java 7 Update 11 (JRE version 1.7.0_11-b21) by exploiting two new vulnerabilities discovered by the company's researchers, Adam Gowdiak, the company's founder, said Friday in a message sent to the Full Disclosure mailing list. The vulnerabilities were reported to Oracle on Friday, together with working proof-of-concept exploit code, he said.
According to Security Explorations' disclosure policy, technical details about the vulnerabilities will not be publicly disclosed until the vendor issues a patch.
Researchers from security firm Immunity who analyzed the exploit being used by cybercriminals since last week concluded that it also combined two vulnerabilities to achieve a Java sandbox escape. However, they later said in a blog post that Java 7 Update 11 only addressed one of them and warned that if attackers find another vulnerability to replace the patched one, a new exploit can be created.
The vulnerabilities discovered by Security Explorations are separate from the one left unpatched by Oracle in Java 7 Update 11, Gowdiak said Friday via email.
Some security researchers, including those from the U.S. Computer Emergency Readiness Team (US-CERT), continued to advise users to disable the Java browser plug-in despite the release of Java 7 Update 11, citing concerns that similar attacks might occur in the future.
"There is definitely something worrying regarding the quality of Java SE 7 code," Gowdiak said. This could suggest the lack of a proper Secure Development Lifecycle program for Java or some other problems that are internal to Oracle, he said.
That said, the fact that Java 7 Update 11 asks for users confirmation before allowing Java applets to be executed inside browsers is definitely a step in the right direction and could block many attacks, Gowdiak said.
- Who does NSS Labs "Recommend" for NGFW? In 2012, NSS Labs found that most available NGFW solutions "fell short in performance and security effectiveness." In 2013 NSS Labs noted "marked...
- What is this "File Sync" Thing and Why Should I Care About It? All of a sudden, getting a file from your work laptop to your iPad became as simple as clicking "Save." So it's no...
- The Keys to Securing Data in a Collaborative Workplace Losing data is costly. IT professionals have spent years learning how to protect their organizations from hackers, but how do you ward off...
- The Growing Demand for Rich Media This white paper discusses how IBM Customer Experience Suite Rich Media Edition can automate rich media workflows, from collaborating with creative agencies and...
- Why Are Customers Really Deploying an NGFW? It seems every IT Security expert is talking about the NGFW, but what are people really doing? This webcast covers 5 real-world customer... All Management White Papers | Webcasts