Less than a week after Oracle released its latest Java critical patch update, researchers have found two previously unknown security issues affecting Java 7.
Security Explorations, the Polish security company behind several recent Java flaw discoveries, reported the vulnerabilities to Oracle on Monday. Oracle is investigating the reported vulnerabilities, according to the security firm.
The issues are specific to Java SE 7 and affect Update 11 and Update 15 of the software, according to Security Explorations’ CEO Adam Gowdiak.
“Both new issues are specific to Java SE 7 only. They allow to abuse the Reflection API in a particularly interesting way,” Gowdiak told Softpedia.
Oracle only released Java SE 7 Update 15 last week, patching five additional CVEs to the fifty in an unscheduled release on February 1 to address a zero day flaw being exploited by attackers. The next critical patch update for Java SE is scheduled for April 16.
Security experts generally advise users to disable the Java browser plugin, which was exploited in recent targeted attacks on developers at Facebook, Apple and Microsoft.
Reports of the new Java flaws come as an exploit for a flaw patched in the Java 7 update 13 on February 1 has found its way into automated exploit kits designed for mass infections. It was one of the flaws that could be exploited on desktops by untrusted Java Web Start applications or Java applets.
Don't click run. The Windows warning for the malicious Java applet. Image credit: Malware.dontneedcoffee.com
Security researcher Kafiene, who has closely monitored the development of ransomware and popular exploit kits, on Sunday reported the exploit’s arrival in several crime kits.
These include widely deployed kits such as Cool and Blackhole, as well as Sibhost, SofosFO, Sakura, Sweet Orange, Nuclear Pack, WhiteHole, Redkit and CritXPack. Another, Popads, included an additional lure of a self-generated fake Microsoft certificate for a malicious Java applet that is designed to trick users into installing a fake Java security update.
The social engineering is “tricky”, Kafiene notes, but the upshot for potential Windows victims is that they need to click “run” in the security warning to become infected.
Security firm Rapid 7 provides a technical analysis here and has included the exploit in the Metasploit penetration testing tool.