New Java Vulnerability Allows Sandbox Bypass, Security Firm Says

Security researchers have discovered a new vulnerability impacting Java Standard Edition versions 5, 6 and 7 that allows attackers to bypass code sandbox defenses.

Researchers at Security Explorations have uncovered a new critical zero-day flaw affecting all-supported versions of Oracle Java.

The bug discovery was announced Sept. 26 on the Full Disclosure security mailing list, though technical details of the vulnerability remain under wraps. According to Security Explorations CEO Adam Gowdiak, however, the flaw impacts Java Standard Edition versions 5, 6 and 7 and can be used to break out of the Java sandbox.

"The issue is tricky to find," he said. "Same for the exploit code to develop. It would be fair to say that both were of a moderate difficulty."

The researchers say they confirmed the bug on the Firefox, Google Chrome, Internet Explorer, Opera and Apple Safari browsers. Oracle has confirmed the flaw’s existence and stated that it will be addressed in a future Java critical patch update, according to Gowdiak.

The prevalence of Java has made it a common target for hackers, prompting some in the security community to call for organizations to disable the technology if it is not needed. Exploits for Java bugs have become staples of attack kits such as Black Hole and others. There is little danger of that in this case, however, since the bug was disclosed privately, said Marcus Carey, security researcher at Rapid7.

“There are tons of privately reported bugs for software, which makes it a bit strange that this is generating the amount of buzz that it is," he said. "Organizations and consumer should always treat Java and other plug-ins as if there are zero-day exploits out there targeting them, even when we don’t know of any specific ones being used."

To reduce risk, he recommended that users only install plug-ins when needed and disable or uninstall them if they are unnecessary.

"If you have to enable dynamic content that requires plug-ins, only do so from trusted sites, as others could very well be compromised," he added.

"If there isn’t a reasonable use case for someone to have Java installed, then they can certainly consider removing it altogether," Satnam Narang, security response manager at Symantec, said in an interview Aug. 30. "However, if there is a use case for having it installed, it’s simply best to ensure that it is patched and kept up-to-date. If there is an exploit in the wild and no patch is currently available, users should disable Java until a patch is made available."

Due to the number of people running Java, the potential impact of the bug could affect a large number of desktops, Gowdiak said. The severity of the issue is also critical because of the implications of a full Java security sandbox bypass.

"What this means is that a malicious Java applet or application exploiting the vulnerability could run unrestricted in the context of a target Java process such as a Web browser application," he explained. "An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user. In our proof-of-concept code we create a file and execute ‘notepad.exe’ application on Windows."