A security firm in Poland says it has found a problem in the latest Java update that Oracle released on Aug. 30. Oracle is investigating the issue.
Security researchers say they have uncovered a vulnerability
in the Java 7 update recently released by Oracle in response to a spate of
According to Polish firm Security Explorations, the update contains a bug
an attacker to bypass the JVM sandbox and exploit bugs the company had
previously disclosed to Oracle in April. Security Explorations CEO Adam Gowdiak
declined to share details of the bug, but said the company has notified Oracle.
Oracle has told the company it is investigating, he said.
"We found and reported to Oracle a security issue that
affects recently released patched Java version (7 Update 7, version that was
released on Aug 30, 2012)," he told eWEEK in an email. "I cannot
share more details about the nature of the new bug. [But] when combined with
some of the Apr 2012 issues, this new issue can facilitate a successful code
execution attack on latest Java SE 7 Update 7."
The Java update, which was released Aug. 30, was prompted
by widespread reports of attacks targeting CVE-2012-4681. Exploits for
CVE-2012-4681 have been incorporated into a number of exploit kits, including
Sweet Orange and Black Hole. According to Symantec, even the hackers behind the
Nitro attack campaign uncovered last year targeting the chemical industry have
thrown the vulnerability into the mix of their latest attacks.
It has become increasingly common for malware authors to
exploit vulnerabilities in Java due to its ubiquitousness and the fact that it
is often out-of-date in many organizations, blogged Graham Cluley, senior
security consultant at Sophos. According to statistics from vulnerability
management firm Rapid7, the patch rate among Java users is low, with just 35 percent
of users applying patches within 90 days of an update's availability.
also love Java because it is multi-platform-capable of running on computers
regardless of whether they are running Windows, Mac OS X or Linux," Cluley
blogged. "As a result it's not unusual for us to see malicious hackers use
Java as an integral
part of their attack
before serving up an OS-specific payload."
Tod Beardsley, Metasploit engineer manager at Rapid7, said
most people could disable Java and not notice the difference in their user
experience because very few Websites rely on Java for dynamic content.
"It's important to remember that this is certainly not
the last 0-day we'll see on Java," he said. "It's still advisable to
keep Java browser plugins disabled except for sites that you know you need it
on. Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer all allow
for this kind of "whitelist" configuration. It's still a good idea to
keep your vulnerability profile low for the next time."