Java thrashing continues with new vulnerabilty discovery

Share this article:

Oracle, which has spent the last month dealing with pervasive security issues in Java, has another problem on its hands: a new flaw affecting multiple versions of the software platform that could grant an attacker control of a targeted machine.  

Polish vulnerability research firm Security Explorations, which has discovered a slew of Java bugs this year, said the latest flaw impacts Java SE versions 5, 6 and 7 running in all major web browsers – Firefox, Google Chrome, Internet Explorer, Opera and Safari.

Security Explorations notified Oracle of the vulnerability on Tuesday and also posted a message on BugTraq, a mailing list archive, the same day. Researchers are not aware of any attacks actively exploiting the flaw.

Adam Gowdiak, founder and CEO of Security Explorations, said in an email Tuesday to that the firm discovered the bug – which allows machines to be compromised through a complete Java security sandbox bypass – late last week

“A malicious Java applet or application exploiting [this bug] could run unrestricted in the context of a target Java process. such as a web browser application,” Gowdiak said. “An attacker could then install programs, view, change or delete data with the privileges of a logged-on user.”

Security Explorations worked to confirm the issue over the weekend, and developed and tested a proof-of-concept code for flaw.

Reasons for its critical impact include the fact that the bug is present in multiple versions of Java, unlike a widespread exploit in August that only affected Java 7 iterations.

Some 1.1 billion desktops run Java. Mac users are particularly vulnerable, Gowdiak said, as Java comes pre-installed on Mac OS X 10.6 and below.

“This bug has the biggest impact among the 50 security issues we have discovered as part of our Java SE security research work,” he added.

In the message on BugTraq, Gowdiak took a jab at Larry Ellison, the CEO of Oracle, whose compensation increased by 24 percent last year, to $96.2 million, according to a Reuters article.

“We hope that news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not going to spoil the taste of Larry Ellison's morning...Java,” Gowdiak said.

Gowdiak advised users to disable the Java plug-in in their web browser until Oracle releases patches, scheduled for Oct. 16. It's unclear if the fixes will address this latest defect.

A request for comment was not immediately returned by Oracle.

[An earlier version of this story incorrectly stated that Java 7 came pre-installed on Mac OS X 10.6 and below].

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Ground system for weather satellites contains thousands of 'high-risk' bugs

Ground system for weather satellites contains thousands of ...

An audit of the Joint Polar Satellite System ground system revealed thousands of vulnerabilities, most of which will be addressed in two years when the next version of the system ...

Threat report on Swedish firms shows 93 percent were breached

The study by KPMG and FireEye also found that 49 percent of detected malware was unknown.

Former acting HHS cyber director convicted on child porn charges

Former acting HHS cyber director convicted on child ...

Timothy DeFoggi, who was nabbed by the FBI last year in its Operation Torpedo investigation was convicted by federal jury in Nebraska.