Vulnerabilities / Threats
03:54 PM
Connect Directly

Deja Vu All Over Again: New Java Vulnerability Found, Bypasses Built-In Security

Yet another Java bug has been discovered—and this one breaks out of the software's sandbox

Another day, another Java vulnerability discovery: this time, it affects most versions of the ubiquitous application.

The good news is that so far, there's no exploit code circulating--yet. The researchers at Security Explorations who discovered the latest vulnerability say it breaks Java's security sandbox in Java versions SE 5, 6, and 7. They have reported the bug to Oracle, which they say yesterday confirmed the flaw and said it would would issue a patch.

The researchers say they shared the technical details only with Oracle, and so far, there's no sign of anyone else pinpointing the flaw and writing exploit code. The vulnerability allows an attacker to escape Java's sandbox and obtain user privileges. "An attacker could run, install programs, view, change, or delete data with the privileges of a logged-on user," says Adam Gowdiak, founder and CEO of Security Explorations.

While he wouldn't offer specifics on the vulnerability itself, he says after it breaks out of the Java sandbox, the attack creates a file and executes a "notepad.exe" application on Windows 7.

"Recent bugs worked for Java SE 7 only. This one works on Java SE 5, 6 and 7: The impact is thus bigger," he says, noting that Oracle claims that there are more than one billion desktops running Java.

Oracle in late August turned around a patch within a week of active attacks exploiting holes in Java Version 7. The Java exploit, originally used for targeted attacks, went public and began to spread like wildfire after it was added to the popular BlackHole crimeware kit, making it easily accessible to all types of cybercriminals.

Gowdiak says he's not aware of any other public exploits right now, and that if the fix gets deployed quickly, it may avert the types of attacks that happened with last month's Java exploit. "If proper security fixes are made available for the users and they are applied then we may avoid a potential crisis situation," he says.

For now, users should disable the browser's Java plug-in, until Oracle issues its patch, he says.

Johannes Ullrich, of SANS Technology Institute, says users should use caution with Java. "At this point, there are no details available as to the nature of these vulnerabilities, and there is no evidence that any of these vulnerabilities are exploited. However, it is widely known that Oracle is working on a substantial backlog of these vulnerabilities. It is still recommended to use Java 'with caution,'" Ullrich said today in a post on SANS Internet Storm Center.

Some tips from SANS:

=If you don't need Java, uninstall it.

=If you do need Java, ensure that it's not automatically starting up in your browser.

=Keep your Java app up to date.

=Only keep the Java variants you need--uninstall the rest.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

Published: 2014-07-09
Adobe Flash Player before and 14.x before on Windows and OS X and before on Linux, Adobe AIR before on Android, Adobe AIR SDK before, and Adobe AIR SDK & Compiler before allow attackers to bypass intended access restrictions via uns...

Published: 2014-07-09
Adobe Flash Player before and 14.x before on Windows and OS X and before on Linux, Adobe AIR before on Android, Adobe AIR SDK before, and Adobe AIR SDK & Compiler before allow attackers to bypass intended access restrictions via uns...

Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.