New Java 7 security flaws emerge as old one lands in crime kits

Less than a week after Oracle released its latest Java critical patch update, researchers have found two previously unknown security issues affecting Java 7.

Security Explorations, the Polish security company behind several recent Java flaw discoveries, reported the vulnerabilities to Oracle on Monday. Oracle is investigating the reported vulnerabilities, according to the security firm.

The issues are specific to Java SE 7 and affect Update 11 and Update 15 of the software, according to Security Explorations’ CEO Adam Gowdiak.

“Both new issues are specific to Java SE 7 only. They allow to abuse the Reflection API in a particularly interesting way,” Gowdiak told Softpedia.

Oracle only released Java SE 7 Update 15 last week, patching five additional CVEs to the fifty in an unscheduled release on February 1 to address a zero day flaw being exploited by attackers. The next critical patch update for Java SE is scheduled for April 16.

Security experts generally advise users to disable the Java browser plugin, which was exploited in recent targeted attacks on developers at Facebook, Apple and Microsoft.

Reports of the new Java flaws come as an exploit for a flaw patched in the Java 7 update 13 on February 1 has found its way into automated exploit kits designed for mass infections. It was one of the flaws that could be exploited on desktops by untrusted Java Web Start applications or Java applets.


Don't click run. The Windows warning for the malicious Java applet. Image credit: Malware.dontneedcoffee.com

Security researcher Kafiene, who has closely monitored the development of ransomware and popular exploit kits, on Sunday reported the exploit’s arrival in several crime kits.

These include widely deployed kits such as Cool and Blackhole, as well as Sibhost, SofosFO, Sakura, Sweet Orange, Nuclear Pack, WhiteHole, Redkit and CritXPack. Another, Popads, included an additional lure of a self-generated fake Microsoft certificate for a malicious Java applet that is designed to trick users into installing a fake Java security update.

The social engineering is “tricky”, Kafiene notes, but the upshot for potential Windows victims is that they need to click “run” in the security warning to become infected.

Security firm Rapid 7 provides a technical analysis here and has included the exploit in the Metasploit penetration testing tool.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags java 7software vulnerabilitiesOracle

1 Comment

Joseph Hyson

1

Warning-Security www.pogo.com [spades] how to remove ?

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Secure, identity-based protection for your endpoints

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.