Oracle last week patched the two zero-day vulnerabilities in Java
that attackers had been exploiting in targeted attacks, but it didn't
take long for researchers to poke more holes in the software. A new bug
that allows a complete Java sandbox escape has been identified already,
the latest in what has become a long line of flaws haunting the Java
software running on hundreds of millions of machines.
Adam
Gowdiak, a researcher at Security Explorations, a Polish firm that said
it sent more than a dozen security vulnerabilities in Java to Oracle
several months ago, said that upon downloading and inspecting the Java 7
update 7 file, he found that one of the changes made to the application
as part of the update enabled another bug to become exploitable.
"One
of the fixes incorporated in the released update also addressed the
exploitation vector with the use of the sun.awt.SunToolkit class.
Removing getField and getMethod methods from the implementation of the
aforementioned class caused all of our full sandbox bypass Proof of
Concept codes not to work any more (please note, that not all security
issues that were reported in Apr 2012 got addressed by the recent Java
update)," Gowdiak wrote in a post on BugTraq.
"Today
we sent a security vulnerability report along with a Proof of Concept
code to Oracle. The code successfully demonstrates a complete JVM
sandbox bypass in the environment of a latest Java SE software (version 7
Update 7 released on Aug 30, 2012). The reason for it is a new security
issue discovered, that made exploitation of some of our not yet
addressed bugs possible to exploit again."
In addition to the
newly disclosed vulnerability in Java 7, the team at Security
Explorations says that it sent a number of other bug reports to Oracle
in April--including the initial report of the CVE-2012-4681 bug--some of
which have not yet been addressed.
Gowdiak said via email that
the vulnerability he found in Java 7 is an entirely new issue and not
just a reemergence of an older bug.
"That's a completely new
vulnerability. It however makes our past, not yet addressed issues
possible to exploit again in the environment of the recent Java 7 Update
7," Gowdiak said.
He also said that the company has not received any indication from Oracle when this flaw might be addressed with a patch.
"We
only received information from Oracle that it planned to address the
remaining 25 issues by the means of Oct 2012 and Mar 2013 Java CPUs,"
Gowdiak said, referring to the larger group of bugs that Security
Explorations reported to Oracle earlier this year.
Courtesy by Dennis Fisher
No comments:
Post a Comment