Hours after Oracle patched vulnerabilities in Java with an emergency out-of-band update, researchers managed to uncover another security flaw that would give attackers complete control of victim computers.
The latest Oracle update contains a bug that allows attackers to bypass and exploit the system, CEO of Polish security firm Security Explorations Adam Gowdiak wrote to the BugTraq maling list on Friday. The company has notified Oracle and provided a proof-of-concept exploit, and said it would not release technical details of the vulnerability until the flaw is fixed. It is not clear whether the new flaw is currently being exploited in the wild.
"The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012)," Gowdiak wrote. A new security issue in the update provided attackers with a new way to exploit the previously announced Java vulnerabilities, according to Gowdiak.
Oracle initially released the out-of-band Java update on Aug. 30 after reports emerged of two serious vulnerabilities in the Java Runtime Environment that was being exploited in the wild to push the Poison Ivy remote access tool (RAT) onto the computers of unsuspecting users.
Exploits for CVE-2012-4681 have already been incorporated into a number of malware toolkits, including Sweet Orange and Black Hole. Oracle's Security Alert CVE-2012-4681 included fixes for CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, and CVE-2012-0547, "three distinct but related vulnerabilities and one security-in-depth issue" affecting Java running within the browser.
Initial analysis of the patch indicated the original zero-day vulnerabilities had been closed, according to Tod Beardsley, the Metasploit engineering manager at Rapid7. The team had tested the existing exploit code that had been previously added to opensource Metasploit penetration framework against Java 7 Update 7.
However, the security-in-depth issue appears to have been fixed incorrectly in Java 7 Update 7, Gowdiak said. Gowdiak's team had previously reported 29 vulnerabilities in Java 7 back in April, including the two that was patched with the new update. Gowdiak and his team were able to combine the new flaw with remaining unpatched bugs to completely bypass the security sandbox, he said. Java relies on the security sandbox to ensure untrusted code can't access sensitive operating-system functions.
“The reason for it is a new security issue discovered, that made exploitation of some of our not yet addressed bugs possible to exploit again,” Gowdiak said.
Oracle generally updates Java on a quarterly cycle, and the next scheduled update is Oct. 16. The emergency patch was surprising, as Oracle "almost never" deviates from its update calendar, said Beardsley. Oracle has not indicated whether it will push out another update to fix the new flaw, or if it will be addressed next month as part of the regular update.
More zero day Java vulnerabilities will appear and attackers will become faster than ever in exploiting them, predicted ESET security evangelist Stephen Cobb. "Exploitation of those vulnerabilities will happen with considerable speed" because malware is now an industry and the faster the attackers are, the more money they will make, Cobb said.
Security experts are recommending users disable Java again, until the next update. If users don't regularly access sites that use Java, it may make sense to completely remove Java altogether.