Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Java Update 7 Contains Another Security Flaw

Hours after Oracle patched vulnerabilities in Java with an emergency out-of-band update, researchers managed to uncover another security flaw that would give attackers complete control of victim computers.

Hours after Oracle patched vulnerabilities in Java with an emergency out-of-band update, researchers managed to uncover another security flaw that would give attackers complete control of victim computers.

The latest Oracle update contains a bug that allows attackers to bypass and exploit the system, CEO of Polish security firm Security Explorations Adam Gowdiak wrote to the BugTraq maling list on Friday. The company has notified Oracle and provided a proof-of-concept exploit, and said it would not release technical details of the vulnerability until the flaw is fixed. It is not clear whether the new flaw is currently being exploited in the wild.

“The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012),” Gowdiak wrote. A new security issue in the update provided attackers with a new way to exploit the previously announced Java vulnerabilities, according to Gowdiak.

Oracle initially released the out-of-band Java update on Aug. 30 after reports emerged of two serious vulnerabilities in the Java Runtime Environment that was being exploited in the wild to push the Poison Ivy remote access tool (RAT) onto the computers of unsuspecting users.

Exploits for CVE-2012-4681 have already been incorporated into a number of malware toolkits, including Sweet Orange and Black Hole. Oracle’s Security Alert CVE-2012-4681 included fixes for CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, and CVE-2012-0547, “three distinct but related vulnerabilities and one security-in-depth issue” affecting Java running within the browser.

Initial analysis of the patch indicated the original zero-day vulnerabilities had been closed, according to Tod Beardsley, the Metasploit engineering manager at Rapid7. The team had tested the existing exploit code that had been previously added to opensource Metasploit penetration framework against Java 7 Update 7.

However, the security-in-depth issue appears to have been fixed incorrectly in Java 7 Update 7, Gowdiak said. Gowdiak’s team had previously reported 29 vulnerabilities in Java 7 back in April, including the two that was patched with the new update. Gowdiak and his team were able to combine the new flaw with remaining unpatched bugs to completely bypass the security sandbox, he said. Java relies on the security sandbox to ensure untrusted code can’t access sensitive operating-system functions.

“The reason for it is a new security issue discovered, that made exploitation of some of our not yet addressed bugs possible to exploit again,” Gowdiak said.

Advertisement. Scroll to continue reading.

Oracle generally updates Java on a quarterly cycle, and the next scheduled update is Oct. 16. The emergency patch was surprising, as Oracle “almost never” deviates from its update calendar, said Beardsley. Oracle has not indicated whether it will push out another update to fix the new flaw, or if it will be addressed next month as part of the regular update.

More zero day Java vulnerabilities will appear and attackers will become faster than ever in exploiting them, predicted ESET security evangelist Stephen Cobb. “Exploitation of those vulnerabilities will happen with considerable speed” because malware is now an industry and the faster the attackers are, the more money they will make, Cobb said.

Security experts are recommending users disable Java again, until the next update. If users don’t regularly access sites that use Java, it may make sense to completely remove Java altogether.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.