Deja Vu All Over Again: New Java Vulnerability Found, Bypasses Built-In Security

Another day, another Java vulnerability discovery: this time, it affects most versions of the ubiquitous application.

The good news is that so far, there's no exploit code circulating--yet. The researchers at Security Explorations who discovered the latest vulnerability say it breaks Java's security sandbox in Java versions SE 5, 6, and 7. They have reported the bug to Oracle, which they say yesterday confirmed the flaw and said it would would issue a patch.

The researchers say they shared the technical details only with Oracle, and so far, there's no sign of anyone else pinpointing the flaw and writing exploit code. The vulnerability allows an attacker to escape Java's sandbox and obtain user privileges. "An attacker could run, install programs, view, change, or delete data with the privileges of a logged-on user," says Adam Gowdiak, founder and CEO of Security Explorations.

While he wouldn't offer specifics on the vulnerability itself, he says after it breaks out of the Java sandbox, the attack creates a file and executes a "notepad.exe" application on Windows 7.

"Recent bugs worked for Java SE 7 only. This one works on Java SE 5, 6 and 7: The impact is thus bigger," he says, noting that Oracle claims that there are more than one billion desktops running Java.

Oracle in late August turned around a patch within a week of active attacks exploiting holes in Java Version 7. The Java exploit, originally used for targeted attacks, went public and began to spread like wildfire after it was added to the popular BlackHole crimeware kit, making it easily accessible to all types of cybercriminals.

Gowdiak says he's not aware of any other public exploits right now, and that if the fix gets deployed quickly, it may avert the types of attacks that happened with last month's Java exploit. "If proper security fixes are made available for the users and they are applied then we may avoid a potential crisis situation," he says.

For now, users should disable the browser's Java plug-in, until Oracle issues its patch, he says.

Johannes Ullrich, of SANS Technology Institute, says users should use caution with Java. "At this point, there are no details available as to the nature of these vulnerabilities, and there is no evidence that any of these vulnerabilities are exploited. However, it is widely known that Oracle is working on a substantial backlog of these vulnerabilities. It is still recommended to use Java 'with caution,'" Ullrich said today in a post on SANS Internet Storm Center.

Some tips from SANS:

=If you don't need Java, uninstall it.

=If you do need Java, ensure that it's not automatically starting up in your browser.

=Keep your Java app up to date.

=Only keep the Java variants you need--uninstall the rest.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.