New holes discovered in latest Java versions
Security Explorations has informed Oracle of two new vulnerabilities in Java, "issue 54" and "issue 55", which it says can be combined to completely bypass Java's sandbox security. Adam Gowdiak, researcher at Security Explorations, told Softpedia that the problems are specific to Java 7 SE versions, and allow abuse of the Reflection API in Java, "in a particularly interesting way".
Gowdiak has tested the flaws on the original Java SE 7 release, Java SE 7 Update 11, and the recently released Java SE 7 Update 15. According to Security Exploration's bug status page, Oracle has acknowledged that it has received the vulnerability details and proof of concept code and says it will investigate and get back to the company soon. The page also notes that a previous flaw, "issue 51", is still under investigation after being reported in mid-January.
Java security flaws have been making the headlines recently, especially after companies including Twitter, Apple, Microsoft and Facebook found attackers had, using Java flaws, hijacked iPhoneDevSDK forums to deliver malware to employee laptops. Oracle has been releasing updates to Java, including Java 7 Update 13, a 50 vulnerability patch pack at the start of February. But, as with all updates, they take time to apply and this opens a window of opportunity for attackers. Rapid 7 is reporting, for example, that an exploit for Java 7 Update 11 which was only released in mid January, is being used in the wild and has been integrated with a number of exploit kits. This makes it more important than ever to ensure that Java is up to date.
The other option is to disable Java in the browser. The H advises users who do not need Java in their browser to disable the Java plugin to help ensure their safety. The most recent Java updates include a switch in the Java Control Panel on Windows to disable Java in the browser. Instructions for other versions of Java and browsers are available:
- Deactivating the Java plugin in Firefox
- Deactivating the Java plugin in Chrome
- Deactivating the Java plugin in Safari