Java thrashing continues with new vulnerabilty discovery

Share this article:

Oracle, which has spent the last month dealing with pervasive security issues in Java, has another problem on its hands: a new flaw affecting multiple versions of the software platform that could grant an attacker control of a targeted machine.  

Polish vulnerability research firm Security Explorations, which has discovered a slew of Java bugs this year, said the latest flaw impacts Java SE versions 5, 6 and 7 running in all major web browsers – Firefox, Google Chrome, Internet Explorer, Opera and Safari.

Security Explorations notified Oracle of the vulnerability on Tuesday and also posted a message on BugTraq, a mailing list archive, the same day. Researchers are not aware of any attacks actively exploiting the flaw.

Adam Gowdiak, founder and CEO of Security Explorations, said in an email Tuesday to SCMagazine.com that the firm discovered the bug – which allows machines to be compromised through a complete Java security sandbox bypass – late last week

“A malicious Java applet or application exploiting [this bug] could run unrestricted in the context of a target Java process. such as a web browser application,” Gowdiak said. “An attacker could then install programs, view, change or delete data with the privileges of a logged-on user.”

Security Explorations worked to confirm the issue over the weekend, and developed and tested a proof-of-concept code for flaw.

Reasons for its critical impact include the fact that the bug is present in multiple versions of Java, unlike a widespread exploit in August that only affected Java 7 iterations.

Some 1.1 billion desktops run Java. Mac users are particularly vulnerable, Gowdiak said, as Java comes pre-installed on Mac OS X 10.6 and below.

“This bug has the biggest impact among the 50 security issues we have discovered as part of our Java SE security research work,” he added.

In the message on BugTraq, Gowdiak took a jab at Larry Ellison, the CEO of Oracle, whose compensation increased by 24 percent last year, to $96.2 million, according to a Reuters article.

“We hope that news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not going to spoil the taste of Larry Ellison's morning...Java,” Gowdiak said.

Gowdiak advised users to disable the Java plug-in in their web browser until Oracle releases patches, scheduled for Oct. 16. It's unclear if the fixes will address this latest defect.

A request for comment was not immediately returned by Oracle.

[An earlier version of this story incorrectly stated that Java 7 came pre-installed on Mac OS X 10.6 and below].

Share this article:

Sign up to our newsletters

More in News

Investors aim to 'save' bitcoin exchange Mt. Gox

After suffering a massive bitcoin theft, the exchange faces liquidation of its assets in Japan.

Attackers target Facebook to deliver Android iBanking malware

Attackers target Facebook to deliver Android iBanking malware

A Windows trojan delivered via drive-by download is injecting malicious content into Facebook and ultimately fooling users into downloading Android malware that can allow for the capturing of SMS messages.

Federal watchdog says SEC security issues put financial data at risk

Federal watchdog says SEC security issues put financial ...

According to the U.S. Government Accountability Office (GAO), SEC, among other lapses, failed to adequately oversee a contractor, which migrated its financial system to a new data center.