New Java exploit on the loose following recent security update

Share this article:
Operators again revive Pushdo botnet, use a popular tactic to stay hidden
Operators again revive Pushdo botnet, use a popular tactic to stay hidden

Less than a week after Oracle released a scheduled security update for Java, an exploit that takes advantage of one of the patched bugs has been added to a popular exploit toolkit.

Researchers at security firm F-Secure said that on Sunday they first witnessed signs of ongoing attacks, which take advantage of a vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17. The exploit has been added to commercially available exploit toolkits, including RedKit.

Meanwhile, a researcher has discovered a fresh, unpatched hole in Java 7, a reflection application program interface (API) flaw affecting all versions.

On Monday, Adam Gowdiak, CEO at Poland-based vulnerability research firm Security Explorations, notified Oracle of the bug. He sent the company a proof-of-concept code, and that same day also posted a message about the vulnerability on Full Disclosure mailing list.

According to Oracle, reflection API is an “advanced feature” that gives programs the ability to examine or modify run-time behaviors of applications running in Java.

The flaw could allow an attacker to complete a Java security sandbox bypass, according to Gowdiak. The user will first see a window displaying a security warning before the vulnerability can be exploited.

“Successful exploitation in a web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed),” Gowdiak wrote. “What's interesting is that the new issue is present not only in the [Java Runtime Environment] Plugin … but also the recently announced Server JRE as well." 

Oracle's security update last week included 42 fixes for bugs in Java and an improved notification system to help users determine the trustworthiness of Java programs before executing them.

On Tuesday, SCMagazine.com reached out to Oracle, Java's maker, but did not immediately hear back.

Exploits that take advantage of outdated Java installations remain a prevalent threat for enterprises. Last month, Websense data found that only 5.5 percent of browsers with Java enabled are running the most current version of the software.

Mark Reinhold, chief architect of the Java platform group, last week announced that Java 8 would be pushed back until the first quarter of 2014, even though the platform was scheduled to become available in early September, due to security concerns.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.