Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Java Update 7 Contains Another Security Flaw

Hours after Oracle patched vulnerabilities in Java with an emergency out-of-band update, researchers managed to uncover another security flaw that would give attackers complete control of victim computers.

Hours after Oracle patched vulnerabilities in Java with an emergency out-of-band update, researchers managed to uncover another security flaw that would give attackers complete control of victim computers.

The latest Oracle update contains a bug that allows attackers to bypass and exploit the system, CEO of Polish security firm Security Explorations Adam Gowdiak wrote to the BugTraq maling list on Friday. The company has notified Oracle and provided a proof-of-concept exploit, and said it would not release technical details of the vulnerability until the flaw is fixed. It is not clear whether the new flaw is currently being exploited in the wild.

“The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012),” Gowdiak wrote. A new security issue in the update provided attackers with a new way to exploit the previously announced Java vulnerabilities, according to Gowdiak.

Oracle initially released the out-of-band Java update on Aug. 30 after reports emerged of two serious vulnerabilities in the Java Runtime Environment that was being exploited in the wild to push the Poison Ivy remote access tool (RAT) onto the computers of unsuspecting users.

Exploits for CVE-2012-4681 have already been incorporated into a number of malware toolkits, including Sweet Orange and Black Hole. Oracle’s Security Alert CVE-2012-4681 included fixes for CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, and CVE-2012-0547, “three distinct but related vulnerabilities and one security-in-depth issue” affecting Java running within the browser.

Initial analysis of the patch indicated the original zero-day vulnerabilities had been closed, according to Tod Beardsley, the Metasploit engineering manager at Rapid7. The team had tested the existing exploit code that had been previously added to opensource Metasploit penetration framework against Java 7 Update 7.

However, the security-in-depth issue appears to have been fixed incorrectly in Java 7 Update 7, Gowdiak said. Gowdiak’s team had previously reported 29 vulnerabilities in Java 7 back in April, including the two that was patched with the new update. Gowdiak and his team were able to combine the new flaw with remaining unpatched bugs to completely bypass the security sandbox, he said. Java relies on the security sandbox to ensure untrusted code can’t access sensitive operating-system functions.

“The reason for it is a new security issue discovered, that made exploitation of some of our not yet addressed bugs possible to exploit again,” Gowdiak said.

Oracle generally updates Java on a quarterly cycle, and the next scheduled update is Oct. 16. The emergency patch was surprising, as Oracle “almost never” deviates from its update calendar, said Beardsley. Oracle has not indicated whether it will push out another update to fix the new flaw, or if it will be addressed next month as part of the regular update.

More zero day Java vulnerabilities will appear and attackers will become faster than ever in exploiting them, predicted ESET security evangelist Stephen Cobb. “Exploitation of those vulnerabilities will happen with considerable speed” because malware is now an industry and the faster the attackers are, the more money they will make, Cobb said.

Security experts are recommending users disable Java again, until the next update. If users don’t regularly access sites that use Java, it may make sense to completely remove Java altogether.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Vulnerabilities

GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet