Researchers find critical vulnerabilities in Java 7 Update 11

The latest Java update is also vulnerable to sandbox bypass exploits, researchers from Security Explorations say

Lucian Constantin (IDG News Service)
18 January, 2013 17:55
Comments

Researchers from Security Explorations, a Poland-based vulnerability research firm, claim to have found two new vulnerabilities in Java 7 Update 11 that can be exploited to bypass the software's security sandbox and execute arbitrary code on computers.

Oracle released Java 7 Update 11 last Sunday as an emergency security update in order to block a zero-day exploit used by cybercriminals to infect computers with malware.

Security Explorations successfully confirmed that a complete Java security sandbox bypass can be still be achieved under Java 7 Update 11 (JRE version 1.7.0_11-b21) by exploiting two new vulnerabilities discovered by the company's researchers, Adam Gowdiak, the company's founder, said Friday in a message sent to the Full Disclosure mailing list. The vulnerabilities were reported to Oracle on Friday, together with working proof-of-concept exploit code, he said.

According to Security Explorations' disclosure policy, technical details about the vulnerabilities will not be publicly disclosed until the vendor issues a patch.

Researchers from security firm Immunity who analyzed the exploit being used by cybercriminals since last week concluded that it also combined two vulnerabilities to achieve a Java sandbox escape. However, they later said in a blog post that Java 7 Update 11 only addressed one of them and warned that if attackers find another vulnerability to replace the patched one, a new exploit can be created.

The vulnerabilities discovered by Security Explorations are separate from the one left unpatched by Oracle in Java 7 Update 11, Gowdiak said Friday via email.

Some security researchers, including those from the U.S. Computer Emergency Readiness Team (US-CERT), continued to advise users to disable the Java browser plug-in despite the release of Java 7 Update 11, citing concerns that similar attacks might occur in the future.

"There is definitely something worrying regarding the quality of Java SE 7 code," Gowdiak said. This could suggest the lack of a proper Secure Development Lifecycle program for Java or some other problems that are internal to Oracle, he said.

That said, the fact that Java 7 Update 11 asks for users confirmation before allowing Java applets to be executed inside browsers is definitely a step in the right direction and could block many attacks, Gowdiak said.