New Java exploit on the loose following recent security update

Share this article:
Operators again revive Pushdo botnet, use a popular tactic to stay hidden
Operators again revive Pushdo botnet, use a popular tactic to stay hidden

Less than a week after Oracle released a scheduled security update for Java, an exploit that takes advantage of one of the patched bugs has been added to a popular exploit toolkit.

Researchers at security firm F-Secure said that on Sunday they first witnessed signs of ongoing attacks, which take advantage of a vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17. The exploit has been added to commercially available exploit toolkits, including RedKit.

Meanwhile, a researcher has discovered a fresh, unpatched hole in Java 7, a reflection application program interface (API) flaw affecting all versions.

On Monday, Adam Gowdiak, CEO at Poland-based vulnerability research firm Security Explorations, notified Oracle of the bug. He sent the company a proof-of-concept code, and that same day also posted a message about the vulnerability on Full Disclosure mailing list.

According to Oracle, reflection API is an “advanced feature” that gives programs the ability to examine or modify run-time behaviors of applications running in Java.

The flaw could allow an attacker to complete a Java security sandbox bypass, according to Gowdiak. The user will first see a window displaying a security warning before the vulnerability can be exploited.

“Successful exploitation in a web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed),” Gowdiak wrote. “What's interesting is that the new issue is present not only in the [Java Runtime Environment] Plugin … but also the recently announced Server JRE as well." 

Oracle's security update last week included 42 fixes for bugs in Java and an improved notification system to help users determine the trustworthiness of Java programs before executing them.

On Tuesday, SCMagazine.com reached out to Oracle, Java's maker, but did not immediately hear back.

Exploits that take advantage of outdated Java installations remain a prevalent threat for enterprises. Last month, Websense data found that only 5.5 percent of browsers with Java enabled are running the most current version of the software.

Mark Reinhold, chief architect of the Java platform group, last week announced that Java 8 would be pushed back until the first quarter of 2014, even though the platform was scheduled to become available in early September, due to security concerns.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.

NICE Conference & Expo to be held in Columbia, Md.

The conference will cover the future of cybersecurity education in the U.S.

Franchises to get assistance on cybersecurity strategy

The National Cyber Security Alliance has teamed up with the International Franchise Association to promote cybersecurity awareness among franchise businesses in the U.S.