Oracle's Java patch leaves a loophole
Adam Gowdiak is indefatigable: last weekend, Oracle released an emergency patch for the 0day hole in Java, and the security researcher has already found the next loophole. In a posting on the Full Disclosure mailing list, the expert has only revealed that the flawed
MBeanInstantiator method inspired him to search for further holes. Brian Krebs had previously mentioned a new exploit that can't be neutralised with Oracle's patch; whether this concerns the same vulnerability remains unclear.
Gowdiak says that he has found two new "issues" which he has numbered 51 and 52. According to the researcher, the holes still allow applets to escape from the sandbox in the current version of Java. Talking to The H's associates at heise online, however, Gowniak said that the exploit is only successful with unsigned applets if the user has previously allowed their execution.
In 2012, Gowdiak collected 49 other Java vulnerabilities and reported them to Oracle. Immunity Products has provided a comprehensive analysis of the allegedly closed 0day hole. According to the company's analysis,
MBeanInstantiator combined with a flawed security check in the Reflection API enable attackers to load protected classes. This ultimately allows them to disable the Security Manager.
Rapid 7's HD Moore points out that Oracle's update was "released under duress and did help with the immediate problem of consumers being compromised". Although he assumes that Oracle is working behind the scenes to address further problems, he believes Oracle needs to invest heavily to deliver a "process-level sandbox and a drastic change in the APIs available to untrusted applets".
Security firm Trend Micro reports on its blog that the controversy around the 0day hole has inspired attackers to release a bogus Java patch. Apparently, a file called javaupdate11.jar loads two Windows programs from the internet that open backdoors. Users should only install Java updates from reliable sources.