Corporate Partners

Researchers find critical vulnerabilities in Java 7 Update 11

The latest Java update is also vulnerable to sandbox bypass exploits, researchers from Security Explorations say

Researchers from Security Explorations, a Poland-based vulnerability research firm, claim to have found two new vulnerabilities in Java 7 Update 11 that can be exploited to bypass the software's security sandbox and execute arbitrary code on computers.

Oracle released Java 7 Update 11 last Sunday as an emergency security update in order to block a zero-day exploit used by cybercriminals to infect computers with malware.

Security Explorations successfully confirmed that a complete Java security sandbox bypass can be still be achieved under Java 7 Update 11 (JRE version 1.7.0_11-b21) by exploiting two new vulnerabilities discovered by the company's researchers, Adam Gowdiak, the company's founder, said Friday in a message sent to the Full Disclosure mailing list. The vulnerabilities were reported to Oracle on Friday, together with working proof-of-concept exploit code, he said.

According to Security Explorations' disclosure policy, technical details about the vulnerabilities will not be publicly disclosed until the vendor issues a patch.

Researchers from security firm Immunity who analyzed the exploit being used by cybercriminals since last week concluded that it also combined two vulnerabilities to achieve a Java sandbox escape. However, they later said in a blog post that Java 7 Update 11 only addressed one of them and warned that if attackers find another vulnerability to replace the patched one, a new exploit can be created.

The vulnerabilities discovered by Security Explorations are separate from the one left unpatched by Oracle in Java 7 Update 11, Gowdiak said Friday via email.

Some security researchers, including those from the U.S. Computer Emergency Readiness Team (US-CERT), continued to advise users to disable the Java browser plug-in despite the release of Java 7 Update 11, citing concerns that similar attacks might occur in the future.

"There is definitely something worrying regarding the quality of Java SE 7 code," Gowdiak said. This could suggest the lack of a proper Secure Development Lifecycle program for Java or some other problems that are internal to Oracle, he said.

That said, the fact that Java 7 Update 11 asks for users confirmation before allowing Java applets to be executed inside browsers is definitely a step in the right direction and could block many attacks, Gowdiak said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Immunityonline safetySecurity ExplorationssecurityExploits / vulnerabilitiesOracle

More about CERT AustraliaOracle

2 Comments

Aaron

1

I'm not sure how current this information is, but according to what is happening to me as of right now on Jan 20th, 2013, Java 7 update 11 is still affected. I used J7u10 previously until about 1 or 2 days ago when it started acting up. I Reinstalled Java thinking a new update was needed, however that didn't seem to be the case. I constantly get these pop-ups that say "Java(TM) SE Platform Binary has stopped working" when i run into something that requires Java. When i open other things like Network Magic, or even the browser itself, I get the same message but instead it would say "Network Magic...has stopped working" etc. Now unless this gets fixed, there's no way i can do the things i used to on the internet. If there is a way around this, i'd love to know so I can get back to work.

Aaron T.

Whogivesashit

2

Aaron, no offense buddy, but you're a retard. Everything is time- and date-stamped so no, "as of right now" is not Jan 20th, 2013 and as for how current the information is, well that date at the top of the article is a big hint.

Comments are now closed

Market Place