Five new flaws found in the latest version of Java

A week after disclosing two Java vulnerabilities, a Polish security firm reported finding five more in the latest version of Java. When used together, the new holes could bypass the technology's sandbox in order to install malware.

Security Explorations notified Oracle Monday of the vulnerabilities in Java SE 7 Update 15. Along with details of the flaws, Security Explorations also supplied proof of concept code.

Oracle did not respond to a request for comment.

Separately, the flaws do not pose a security problem, the company said. However, when linked together, they can enable someone to bypass the Java's anti-exploit sandbox technology. Security Explorations said it had not seen the vulnerabilities exploited in the wild.

The latest vulnerability report follows a week after the same company reported two other holes in Oracle's latest plug-in used to run Java applications in a browser.

Oracle shipped Java SE 7 Update 15 on Feb. 19, bundling patches released Feb. 1 in an emergency update fixing five other flaws. The next regularly scheduled update is April 16.

The latest discovery came after Oracle rejected one of the bugs Security Explorations reported Feb. 25. "It made us look into Java SE 7 code and its docs once again, gathering counterargument material," Adam Gowdiak, chief executive of the company, said in a post onÃ'Â

Two of the vulnerabilities could also affect Java SE 6, Gowdiak said. "But since all of the issues need to be combined together to gain a successful Java SE security compromise, we treat it as affecting Java SE 7 only."

[Also see: Oracle's Java security update lacking, experts say]

In releasing the Java SE 7 update this month, Oracle said that it would speed up its patching cycle for Java, which has suffered a significant number of exploitations in the wild through zero-day vulnerabilities. A zero-day flaw is one that has yet to be patched by the software vendor.

"Oracle's intent is to continue to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment in desktop browsers," Eric Maurice, Oracle's director of software assurance, said in a blog post.Ã'Â

Oracle had released Java updates every four months. Under the new schedule, it will ship updates every two months.

For months, security experts have recommended that people disable Java in all browsers, since only a small number of websites still used the application platform. In those rare cases when Java is needed to run a specific application, experts recommend dedicating one browser for that single purpose.

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsSecurity ExplorationssecurityData Protection | Application SecurityAccess control and authenticationjavasoftwaredata protectionOracle

More about Oracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts