11 Security Sights Seen Only At Black Hat

Oracle last week issued an emergency Java 7 patch for two zero-day vulnerabilities being actively used by attackers, but its fix appears to have rendered a previously undisclosed vulnerability now exploitable.

On Thursday, Oracle released Java JDK/JRE 7 update 7 to fix a handful of the vulnerabilities that had been identified and publicized by security researchers. "This releases (sic) address security concerns. Oracle strongly recommends that all Java SE 7 users upgrade to this release," read the update page.

But in an email to the Bugtraq mailing list Friday, Adam Gowdiak, CEO and founder of Poland-based Security Explorations, said that while Oracle had fixed the flaws being actively exploited by attackers, it had yet to address all of the flaws that his firm disclosed to Oracle in April 2012. Furthermore, thanks to the update, one of the new, still-unfixed flaws can now be used to exploit the Java virtual machine (JVM)--the part of the software platform that executes code--and disable the sandbox.

[ How secure is your data in the cloud? Read Don't Trust Cloud Security. ]

"Today we sent a security vulnerability report along with a Proof of Concept code to Oracle," said Gowdiak. "The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (Version 7 Update 7, released on Aug 30, 2012). The reason for it is a new security issue that made exploitation of some of our not-yet-addressed bugs possible to exploit again."

The Java sandbox is meant to prevent attackers from being able to use Java to target the host system that runs it. But in the recently spotted zero-day attacks, attackers found flaws that enabled them to defeat the Java sandbox. Similarly, different flaws in Java revealed earlier this year were also used by attackers to defeat the sandbox, and became the basis for the Apple OS X Flashback malware. In addition, this week the hacktivist collective AntiSec claimed to have used the flaws in March 2012 to exploit an FBI agent's laptop.

One benefit of the new Java patch, however, is that numerous security researchers have confirmed that the flaws being exploited in active attacks have now been fixed. According to Gowdiak, last week's update fixed exploitable ClassFinder/MethodFinder bugs. In addition, the update "addressed the exploitation vector with the use of the sun.awt.SunToolkit class." He also said that "removing getField and getMethod methods from the implementation of the aforementioned class caused all of our full sandbox bypass Proof of Concept codes not to work anymore."

The speed of the emergency Java patch release from Oracle suggested that the company already had related fixes prepped and was running them through testing and quality assurance (QA) checks. "Generally it takes months to QA a Java security bug fix--which may be how long this took," said Immunity security researcher Esteban Guillardoy in a blog post.

But when might the new--and outstanding--vulnerabilities see patches? According to the Security Essentials website, the company has submitted to Oracle proof-of-concept attack code for 31 different issues, although it hasn't revealed any details about the attacks, except in some cases to reveal what could be exploited. While some of those issues need to be chained together to work, many of the flaws could be used by attackers to affect a "complete Java security sandbox bypass."

Timing-wise, Gowdiak told Threatpost that Oracle has told his firm only that it plans "to address the remaining 25 issues by the means of Oct. 2012 and Mar. 2013 Java CPUs," referring to the company's critical patch updates, which typically follow a quarterly release cycle.

Mobile employees' data and apps need protecting. Here are 10 ways to get the job done. Also in the new, all-digital 10 Steps To E-Commerce Security special issue of Dark Reading: Mobile technology is forcing businesses to rethink the fundamentals of how their networks work. (Free registration required.)