New Java exploit on the loose following recent security update

Share this article:
Operators again revive Pushdo botnet, use a popular tactic to stay hidden
Operators again revive Pushdo botnet, use a popular tactic to stay hidden

Less than a week after Oracle released a scheduled security update for Java, an exploit that takes advantage of one of the patched bugs has been added to a popular exploit toolkit.

Researchers at security firm F-Secure said that on Sunday they first witnessed signs of ongoing attacks, which take advantage of a vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17. The exploit has been added to commercially available exploit toolkits, including RedKit.

Meanwhile, a researcher has discovered a fresh, unpatched hole in Java 7, a reflection application program interface (API) flaw affecting all versions.

On Monday, Adam Gowdiak, CEO at Poland-based vulnerability research firm Security Explorations, notified Oracle of the bug. He sent the company a proof-of-concept code, and that same day also posted a message about the vulnerability on Full Disclosure mailing list.

According to Oracle, reflection API is an “advanced feature” that gives programs the ability to examine or modify run-time behaviors of applications running in Java.

The flaw could allow an attacker to complete a Java security sandbox bypass, according to Gowdiak. The user will first see a window displaying a security warning before the vulnerability can be exploited.

“Successful exploitation in a web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed),” Gowdiak wrote. “What's interesting is that the new issue is present not only in the [Java Runtime Environment] Plugin … but also the recently announced Server JRE as well." 

Oracle's security update last week included 42 fixes for bugs in Java and an improved notification system to help users determine the trustworthiness of Java programs before executing them.

On Tuesday, SCMagazine.com reached out to Oracle, Java's maker, but did not immediately hear back.

Exploits that take advantage of outdated Java installations remain a prevalent threat for enterprises. Last month, Websense data found that only 5.5 percent of browsers with Java enabled are running the most current version of the software.

Mark Reinhold, chief architect of the Java platform group, last week announced that Java 8 would be pushed back until the first quarter of 2014, even though the platform was scheduled to become available in early September, due to security concerns.

Share this article:

Sign up to our newsletters

More in News

AOL Mail hack furthers spam campaign using spoofed accounts

AOL confirmed on Monday that it was aware of the issue and working to remediate the situation.

Backdoors in Wi-Fi routers, said to be closed, can be reopened

Backdoors in Wi-Fi routers, said to be closed, ...

Although said to be patched, researcher Eloi Vanderbeken discovered during the Easter holiday that backdoors existing in certain wireless routers can be reactivated.

Apple ships Mac OS X updates, fixes several code execution bugs

Apple ships Mac OS X updates, fixes several ...

Among the addressed vulnerabilities, was a bug affecting WindowServer, which could allow an attacker to execute malicious code outside the sandbox.