New Java exploit on the loose following recent security update

Share this article:
Operators again revive Pushdo botnet, use a popular tactic to stay hidden
Operators again revive Pushdo botnet, use a popular tactic to stay hidden

Less than a week after Oracle released a scheduled security update for Java, an exploit that takes advantage of one of the patched bugs has been added to a popular exploit toolkit.

Researchers at security firm F-Secure said that on Sunday they first witnessed signs of ongoing attacks, which take advantage of a vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17. The exploit has been added to commercially available exploit toolkits, including RedKit.

Meanwhile, a researcher has discovered a fresh, unpatched hole in Java 7, a reflection application program interface (API) flaw affecting all versions.

On Monday, Adam Gowdiak, CEO at Poland-based vulnerability research firm Security Explorations, notified Oracle of the bug. He sent the company a proof-of-concept code, and that same day also posted a message about the vulnerability on Full Disclosure mailing list.

According to Oracle, reflection API is an “advanced feature” that gives programs the ability to examine or modify run-time behaviors of applications running in Java.

The flaw could allow an attacker to complete a Java security sandbox bypass, according to Gowdiak. The user will first see a window displaying a security warning before the vulnerability can be exploited.

“Successful exploitation in a web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed),” Gowdiak wrote. “What's interesting is that the new issue is present not only in the [Java Runtime Environment] Plugin … but also the recently announced Server JRE as well." 

Oracle's security update last week included 42 fixes for bugs in Java and an improved notification system to help users determine the trustworthiness of Java programs before executing them.

On Tuesday, SCMagazine.com reached out to Oracle, Java's maker, but did not immediately hear back.

Exploits that take advantage of outdated Java installations remain a prevalent threat for enterprises. Last month, Websense data found that only 5.5 percent of browsers with Java enabled are running the most current version of the software.

Mark Reinhold, chief architect of the Java platform group, last week announced that Java 8 would be pushed back until the first quarter of 2014, even though the platform was scheduled to become available in early September, due to security concerns.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.