Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Java Update 7 Contains Another Security Flaw

Hours after Oracle patched vulnerabilities in Java with an emergency out-of-band update, researchers managed to uncover another security flaw that would give attackers complete control of victim computers.

Hours after Oracle patched vulnerabilities in Java with an emergency out-of-band update, researchers managed to uncover another security flaw that would give attackers complete control of victim computers.

The latest Oracle update contains a bug that allows attackers to bypass and exploit the system, CEO of Polish security firm Security Explorations Adam Gowdiak wrote to the BugTraq maling list on Friday. The company has notified Oracle and provided a proof-of-concept exploit, and said it would not release technical details of the vulnerability until the flaw is fixed. It is not clear whether the new flaw is currently being exploited in the wild.

“The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012),” Gowdiak wrote. A new security issue in the update provided attackers with a new way to exploit the previously announced Java vulnerabilities, according to Gowdiak.

Oracle initially released the out-of-band Java update on Aug. 30 after reports emerged of two serious vulnerabilities in the Java Runtime Environment that was being exploited in the wild to push the Poison Ivy remote access tool (RAT) onto the computers of unsuspecting users.

Exploits for CVE-2012-4681 have already been incorporated into a number of malware toolkits, including Sweet Orange and Black Hole. Oracle’s Security Alert CVE-2012-4681 included fixes for CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, and CVE-2012-0547, “three distinct but related vulnerabilities and one security-in-depth issue” affecting Java running within the browser.

Initial analysis of the patch indicated the original zero-day vulnerabilities had been closed, according to Tod Beardsley, the Metasploit engineering manager at Rapid7. The team had tested the existing exploit code that had been previously added to opensource Metasploit penetration framework against Java 7 Update 7.

However, the security-in-depth issue appears to have been fixed incorrectly in Java 7 Update 7, Gowdiak said. Gowdiak’s team had previously reported 29 vulnerabilities in Java 7 back in April, including the two that was patched with the new update. Gowdiak and his team were able to combine the new flaw with remaining unpatched bugs to completely bypass the security sandbox, he said. Java relies on the security sandbox to ensure untrusted code can’t access sensitive operating-system functions.

“The reason for it is a new security issue discovered, that made exploitation of some of our not yet addressed bugs possible to exploit again,” Gowdiak said.

Advertisement. Scroll to continue reading.

Oracle generally updates Java on a quarterly cycle, and the next scheduled update is Oct. 16. The emergency patch was surprising, as Oracle “almost never” deviates from its update calendar, said Beardsley. Oracle has not indicated whether it will push out another update to fix the new flaw, or if it will be addressed next month as part of the regular update.

More zero day Java vulnerabilities will appear and attackers will become faster than ever in exploiting them, predicted ESET security evangelist Stephen Cobb. “Exploitation of those vulnerabilities will happen with considerable speed” because malware is now an industry and the faster the attackers are, the more money they will make, Cobb said.

Security experts are recommending users disable Java again, until the next update. If users don’t regularly access sites that use Java, it may make sense to completely remove Java altogether.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

SpecterOps has appointed Tim Bender as CFO, Pat Sheridan as CRO, and Bryce Hein as CMO.

CISA has officially announced the appointment of Madhu Gottumukkala as its new deputy director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.