Researcher digs up another zero-day Java bug

Present in Java 5. 6 and 7, leaves Windows PCs and Macs open to attack

A security researcher known for finding Java bugs has uncovered a new critical zero-day vulnerability in all currently-supported versions of the popular Oracle software.

The bug, which was publicly reported on the Full Disclosure security mailing list Tuesday by Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations, can be leveraged to hijack a machine equipped with Java, letting attackers install malware on the system.

Windows PCs and Macs are equally at risk if their users have installed Java, or in the case of OS X, are running 10.6, aka Snow Leopard, or earlier. Snow Leopard was the last edition where Apple bundled Java with the operating system.

All currently-support versions of Java, including Java 5, Java 6 and Java 7, contain the bug.

Gowdiak has found other Java vulnerabilities in the past: Earlier this year he reported more than a dozen to Oracle. Months later, hackers independently uncovered one of the bugs, then began using it in widespread attacks during August.

On Aug. 30 Oracle shipped one of its rare emergency, or "out-of-band," security updates to patch the exploited Java bug.

The vulnerability Gowdiak revealed Tuesday was both potentially more serious than the already-exploited flaw and less of a risk to users at the moment.

"The potential impact is bigger when it comes to the number of Java desktops," said Gowdiak in an email reply to questions. "The vulnerability affects up-to-date installs of Java 5, 6 and 7. We even tested the developer preview of Java 7 Update 10, a build from Sept. 20, 2012, [and] verified it was also vulnerable."

The Java zero-days exploited by cyber criminals last month were in Java 7 only -- the newest edition -- and because of that, Gowdiak and other experts recommended users downgrade to Java 6, which was safe.

Not the case now, as all editions of Java harbor the flaw.

Gowdiak, using installed-base statistics cited by Oracle, argued that approximately 1 billion computer users are at risk because of the unpatched vulnerability.

On the other hand, there is much less urgency with this vulnerability than the one exploited last month for the simply fact that there's no evidence it's in the hands of hackers. "We are not aware of any active attacks that would exploit this vulnerability," Gowdiak said.

While Gowdiak said that he found the new Java bug last week -- and took the weekend to create and test a proof-of-concept exploit -- he only reported it to Oracle on Tuesday. In a follow-up email to Computerworld, Gowdiak said, "We just received confirmation of the issue from Oracle."

The company also told him that the bug will be patched in a future Java security update, but that it did not name which. The next on Oracle's quarterly schedule will ship Oct. 16.

That was one of several reasons Gowdiak used to explain why he went public with the bug -- albeit sans technical details -- rather than privately reporting it to Oracle and waiting for the company to quietly patch Java. "There are still three weeks until the scheduled Java October Critical Patch Update [CPU], so it might be possible that Oracle manages to address the bug [on Oct. 16]," he said.

Gowdiak also said it was "simply our obligation to provide users with a proper warning," especially in light of recommendations last month to shift from Java 7 to the then-safe Java 6.

The fact that Java 6 is vulnerable will be of special interest to anyone using a Mac that runs OS X 10.6 (Snow Leopard) or OS X 10.5 (Leopard). Although Apple stopped bundling Java with OS X starting in 2011, 2009's Snow Leopard and 2007's Leopard included the software. If hackers have found -- or do find -- Gowdiak's vulnerability on their own, and exploit it before Oracle patches, Snow Leopard and Leopard users will be at risk, just like those running Lion or Mountain Lion.

The publicity of the newest Java zero-day -- several media outlets reported it yesterday -- will, of course, put some pressure on Oracle to act quickly, a reason often cited by security researchers who broadcast the existence of a flaw before a patch is available.

Gowdiak had an answer for that, too.

"We [make] public announcements, so that users are aware that there are some risks associated with given software or a technology, and can plan their actions accordingly," he said. He also declined to share more information about the nature of the vulnerability than the vague description in the Full Disclosure message.

Gowdiak confirmed that his proof-of-concept exploit worked against the Java plug-in used by the current versions of Chrome, Firefox, Internet Explorer 9, Opera and Safari on Windows 7.

As virtually every security professional has done when a Java vulnerability or exploit surfaces, Gowdiak yesterday urged users to disable the plug-in in their browsers until Oracle issues a patch.

Security Explorations keeps an up-to-date account of the vulnerabilities it reports to vendors, and their reactions, if any, on its website.

Instructions for disabling Java in the major browsers can be found on the US-CERT (United States Computer Emergency Readiness Team) website.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts