Java thrashing continues with new vulnerabilty discovery

Share this article:

Oracle, which has spent the last month dealing with pervasive security issues in Java, has another problem on its hands: a new flaw affecting multiple versions of the software platform that could grant an attacker control of a targeted machine.  

Polish vulnerability research firm Security Explorations, which has discovered a slew of Java bugs this year, said the latest flaw impacts Java SE versions 5, 6 and 7 running in all major web browsers – Firefox, Google Chrome, Internet Explorer, Opera and Safari.

Security Explorations notified Oracle of the vulnerability on Tuesday and also posted a message on BugTraq, a mailing list archive, the same day. Researchers are not aware of any attacks actively exploiting the flaw.

Adam Gowdiak, founder and CEO of Security Explorations, said in an email Tuesday to SCMagazine.com that the firm discovered the bug – which allows machines to be compromised through a complete Java security sandbox bypass – late last week

“A malicious Java applet or application exploiting [this bug] could run unrestricted in the context of a target Java process. such as a web browser application,” Gowdiak said. “An attacker could then install programs, view, change or delete data with the privileges of a logged-on user.”

Security Explorations worked to confirm the issue over the weekend, and developed and tested a proof-of-concept code for flaw.

Reasons for its critical impact include the fact that the bug is present in multiple versions of Java, unlike a widespread exploit in August that only affected Java 7 iterations.

Some 1.1 billion desktops run Java. Mac users are particularly vulnerable, Gowdiak said, as Java comes pre-installed on Mac OS X 10.6 and below.

“This bug has the biggest impact among the 50 security issues we have discovered as part of our Java SE security research work,” he added.

In the message on BugTraq, Gowdiak took a jab at Larry Ellison, the CEO of Oracle, whose compensation increased by 24 percent last year, to $96.2 million, according to a Reuters article.

“We hope that news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not going to spoil the taste of Larry Ellison's morning...Java,” Gowdiak said.

Gowdiak advised users to disable the Java plug-in in their web browser until Oracle releases patches, scheduled for Oct. 16. It's unclear if the fixes will address this latest defect.

A request for comment was not immediately returned by Oracle.

[An earlier version of this story incorrectly stated that Java 7 came pre-installed on Mac OS X 10.6 and below].

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.