In association with heise online

19 January 2013, 19:38

Oracle's Java patch leaves a loophole

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Java Alert Adam Gowdiak is indefatigable: last weekend, Oracle released an emergency patch for the 0day hole in Java, and the security researcher has already found the next loophole. In a posting on the Full Disclosure mailing list, the expert has only revealed that the flawed MBeanInstantiator method inspired him to search for further holes. Brian Krebs had previously mentioned a new exploit that can't be neutralised with Oracle's patch; whether this concerns the same vulnerability remains unclear.

Gowdiak says that he has found two new "issues" which he has numbered 51 and 52. According to the researcher, the holes still allow applets to escape from the sandbox in the current version of Java. Talking to The H's associates at heise online, however, Gowniak said that the exploit is only successful with unsigned applets if the user has previously allowed their execution.

In 2012, Gowdiak collectedPDF 49 other Java vulnerabilities and reported them to Oracle. Immunity Products has provided a comprehensive analysisPDF of the allegedly closed 0day hole. According to the company's analysis, MBeanInstantiator combined with a flawed security check in the Reflection API enable attackers to load protected classes. This ultimately allows them to disable the Security Manager.

Rapid 7's HD Moore points out that Oracle's update was "released under duress and did help with the immediate problem of consumers being compromised". Although he assumes that Oracle is working behind the scenes to address further problems, he believes Oracle needs to invest heavily to deliver a "process-level sandbox and a drastic change in the APIs available to untrusted applets".

In the meantime, unless a user specifically needs Java for a particular application, The H and many security experts recommend disabling Java in the browser. Unlike the similarly named and widely used JavaScript, Java has relatively low usage on the web; most of its success has been in enterprise server applications where the browser vulnerabilities are not usefully exploitable.

Security firm Trend Micro reports on its blog that the controversy around the 0day hole has inspired attackers to release a bogus Java patch. Apparently, a file called javaupdate11.jar loads two Windows programs from the internet that open backdoors. Users should only install Java updates from reliable sources.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit