Researchers find critical vulnerability in Java 7 patch hours after release

The new vulnerability allows a complete Java Virtual Machine sandbox escape in Java 7 Update 7, researchers from Security Explorations say

Security researchers from Poland-based security firm Security Explorations claim to have discovered a vulnerability in the Java 7 security update released Thursday that can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system.

Security Explorations sent a report about the vulnerability to Oracle on Friday together with a proof-of-concept exploit, Adam Gowdiak, the security company's founder and CEO said Friday via email.

The company doesn't plan to release any technical details about the vulnerability publicly until Oracle addresses it, Gowdiak said.

Oracle broke out of its regular four-month patching cycle on Thursday to release Java 7 Update 7, an emergency security update that addressed three vulnerabilities, including two that were being exploited by attackers to infect computers with malware since last week.

Java 7 Update 7 also patched a "security-in-depth issue" which, according to Oracle, was not directly exploitable, but could have been used to aggravate the impact of other vulnerabilities.

The patching of that "security-in-depth issue," which Gowdiak calls an "exploitation vector," rendered all of the proof-of-concept (PoC) Java Virtual Machine (JVM) security bypass exploits previously submitted by the Polish security firm to Oracle, ineffective.

According to Gowdiak, Security Explorations privately reported 29 vulnerabilities in Java 7 to Oracle back in April, including the two that are now actively exploited by attackers.

The reports were accompanied by a total of 16 proof-of-concept exploits that combined those vulnerabilities to fully bypass the Java sandbox and execute arbitrary code on the underlying system.

The removal of the getField and getMethod methods from the implementation of the sun.awt.SunToolkit class in Java 7 Update 7 disabled all of Security Explorations' PoC exploits, Gowdiak said.

However, this only happened because the "exploitation vector" was removed, not because all vulnerabilities targeted by the exploits were patched, Gowdiak said.

The new vulnerability discovered by Security Explorations in Java 7 Update 7 can be combined with some of the vulnerabilities left unpatched by Oracle to achieve a full JVM sandbox bypass again.

"Once we found that our complete Java sandbox bypass codes stopped working after the update was applied, we looked again at POC codes and started to think about the possible ways of how to fully break the latest Java update again," Gowdiak said. "A new idea came, it was verified and it turned out that this was it."

Gowdiak doesn't know when Oracle plans to address the remaining vulnerabilities reported by Security Explorations in April or the new one submitted by the security company on Friday.

It's not clear if Oracle will release a new Java security update in October as it previously planned. The company did not immediately return a request for comment.

Security researchers have always warned that if vendors take too much time to address a reported vulnerability it might be discovered by the bad guys in the meantime, if they don't already know about it.

It happened on multiple occasions for different bug hunters to discover the same vulnerability in the same product independently and this is what might have also happened in the case of the two actively exploited Java vulnerabilities that were addressed by Java 7 Update 7.

"Independent discoveries can never be excluded," Gowdiak said. "This specific issue [the new vulnerability] might be however a little bit more difficult to find."

Based on the experience of Security Explorations researchers with hunting for Java vulnerabilities so far, Java 6 has better security than Java 7. "Java 7 was surprisingly much easier for us to break," Gowdiak said. "For Java 6, we didn't manage to achieve a full sandbox compromise, except for the issue discovered in Apple Quicktime for Java software."

Gowdiak has echoed what many security researchers have said before: If you don't need Java, uninstall it from your system.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place