Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/26/2012
03:54 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Deja Vu All Over Again: New Java Vulnerability Found, Bypasses Built-In Security

Yet another Java bug has been discovered—and this one breaks out of the software's sandbox

Another day, another Java vulnerability discovery: this time, it affects most versions of the ubiquitous application.

The good news is that so far, there's no exploit code circulating--yet. The researchers at Security Explorations who discovered the latest vulnerability say it breaks Java's security sandbox in Java versions SE 5, 6, and 7. They have reported the bug to Oracle, which they say yesterday confirmed the flaw and said it would would issue a patch.

The researchers say they shared the technical details only with Oracle, and so far, there's no sign of anyone else pinpointing the flaw and writing exploit code. The vulnerability allows an attacker to escape Java's sandbox and obtain user privileges. "An attacker could run, install programs, view, change, or delete data with the privileges of a logged-on user," says Adam Gowdiak, founder and CEO of Security Explorations.

While he wouldn't offer specifics on the vulnerability itself, he says after it breaks out of the Java sandbox, the attack creates a file and executes a "notepad.exe" application on Windows 7.

"Recent bugs worked for Java SE 7 only. This one works on Java SE 5, 6 and 7: The impact is thus bigger," he says, noting that Oracle claims that there are more than one billion desktops running Java.

Oracle in late August turned around a patch within a week of active attacks exploiting holes in Java Version 7. The Java exploit, originally used for targeted attacks, went public and began to spread like wildfire after it was added to the popular BlackHole crimeware kit, making it easily accessible to all types of cybercriminals.

Gowdiak says he's not aware of any other public exploits right now, and that if the fix gets deployed quickly, it may avert the types of attacks that happened with last month's Java exploit. "If proper security fixes are made available for the users and they are applied then we may avoid a potential crisis situation," he says.

For now, users should disable the browser's Java plug-in, until Oracle issues its patch, he says.

Johannes Ullrich, of SANS Technology Institute, says users should use caution with Java. "At this point, there are no details available as to the nature of these vulnerabilities, and there is no evidence that any of these vulnerabilities are exploited. However, it is widely known that Oracle is working on a substantial backlog of these vulnerabilities. It is still recommended to use Java 'with caution,'" Ullrich said today in a post on SANS Internet Storm Center.

Some tips from SANS:

=If you don't need Java, uninstall it.

=If you do need Java, ensure that it's not automatically starting up in your browser.

=Keep your Java app up to date.

=Only keep the Java variants you need--uninstall the rest.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-35419
PUBLISHED: 2021-04-14
Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter.
CVE-2021-28060
PUBLISHED: 2021-04-14
A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php.
CVE-2021-28825
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with l...
CVE-2021-28826
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker wi...
CVE-2021-28855
PUBLISHED: 2021-04-14
In Deark before 1.5.8, a specially crafted input file can cause a NULL pointer dereference in the dbuf_write function (src/deark-dbuf.c).