Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/28/2013
06:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Java Security Feature FAIL: Researcher Bypasses Java Sandbox, Security Settings

'High' and 'Very High' Java security settings won't stop attacks, researcher says

Zero-day bugs in Java have been coming fast and furious lately. In the latest twist, a researcher says he was able to cheat built-in security features in Java applications.

Adam Gowdiak, founder and CEO of Security Explorations in Poland, has alerted Oracle that he and his team found security holes that could allow an attacker to both escape Java's sandboxing protection and cheat the highest security settings in the application.

His discovery of new flaws in the software -- which could allow an attacker to bypass Java's security features in the "High" and "Very High" security settings -- basically shot down Oracle's recent recommendations to use those settings to avert a zero-day attack that began earlier this month.

Oracle issued a security update for the CVE-2013-0422 vulnerability that included a change in Java's Security Level setting from "Medium" to "High" so users would be prompted before allowing an unsigned Java applet to run.

But the newest Java bug can be exploited to cheat those security settings altogether. "Regardless of the new security level configured by the user ... the new bug could be used to execute untrusted Java applications" on the machine, Gowdiak says. Only users with Java plug-ins enabled in their browsers are at risk, he says.

[Most enterprises might be stuck with Java, but there are ways to reduce the effectiveness of recent and future zero-day exploits. See Tech Insight: 5 Approaches To Decaffeinating Java Exploits.]

The researcher won't publicly reveal details on the specific vulnerabilities he discovered, but he says the only way to protect systems from these and other Java-borne attacks is to disable the application or employ the "click-to-play" feature found in some browsers that lets you pick and choose where you can run Java as needed.

"At the moment, disabling Java or relying on the so called 'click-to-play' feature implemented by several Web browsers seems to be the only solution that could help mitigate Java-based attacks," Gowdiak told Dark Reading.

He revealed earlier this month that he could bypass the sandbox security feature in Java that runs untrusted code in isolation in the newest version of the software, Java 7 Update 11 and Java Runtime Environment Version 1.7.0_11-b21. He found two new bugs and provided Oracle proof-of-concept code on how they could be abused to escape the sandbox.

"It was only a matter of time before another sandbox escape was identified in the Java Runtime. Although there is no doubt that 7u11 patch was incomplete, we have to keep in mind that it was released under duress and did help with the immediate problem of consumers being compromised," says HD Moore, CTO at Rapid7 and creator of Metasploit.

While the obvious targets are the Java plug-ins used in Web browsers, any Java application that uses the Java Runtime Environment (JRE) could suffer the sandbox bypass attack. "We have demonstrated the vulnerability in the context of Java Plugin and the so-called Java Applet application run in the Web browser," Gowdiak says. "However, any Java app relying on the vulnerable Java Runtime Environment might be vulnerable to it as long as the attacker finds its way to run its code inside a vulnerable Java environment."

An attacker could run malware in the Java environment and gain remote control of the user's Java Web application, he says.

Rapid7's Moore says it seems Oracle's efforts to shore up security didn't end up helping much. "It sounds like they put a lot of effort into all-new" security settings, but it really didn't make much difference security-wise, he says. "The only folks making a difference here are the browser [vendors]. They are detecting actual [Java] attacks in the wild," Moore says.

George Tubin, a security strategist at Trusteer, says Java exploits will continue to be a problem. And short-term fixes aren't the answer.

"We have to get away from this back-and-forth reactive game. The way software is, you're going to find vulnerabilities, and you're not going to find a way to eliminate them, even when vulns are patched," Tubin says.

Oracle was not available for comment at the time of this posting.

So can Oracle rebound with a more secure Java? Gowdiak says the wave of vulnerabilities and other security issues with Java revealed during the past few months demonstrate problems with Oracle's security processes. He says multiple bugs were "introduced" into Java 7, and its patch-testing process appears to be flawed.

"The company's analysis of security issues as well as its patch-testing processes are not thorough enough: There are cases of bugs being found in the same code as previously patched issues or bugs that are not fixed properly," he says. "The number of bugs discovered in new features introduced into Java 7 indicate that these features were not [likely] subject to any security review."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10287
PUBLISHED: 2020-07-15
The IRC5 family with UAS service enabled comes by default with credentials that can be found on publicly available manuals. ABB considers this a well documented functionality that helps customer set up however, out of our research, we found multiple production systems running these exact default cre...
CVE-2020-10288
PUBLISHED: 2020-07-15
IRC5 exposes an ftp server (port 21). Upon attempting to gain access you are challenged with a request of username and password, however you can input whatever you like. As long as the field isn't empty it will be accepted.
CVE-2020-15780
PUBLISHED: 2020-07-15
An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30.
CVE-2019-17639
PUBLISHED: 2020-07-15
In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling the System.arraycopy method with a length longer than the length of the source or destination array can, in certain specially crafted code patterns, cause the current method to return prematurely with an undefined return value. This...
CVE-2019-20908
PUBLISHED: 2020-07-15
An issue was discovered in drivers/firmware/efi/efi.c in the Linux kernel before 5.4. Incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032.