Oracle Java Patch Has Security Flaw, Researchers Say

Security researchers say they have uncovered a vulnerability in the Java 7 update recently released by Oracle in response to a spate of attacks.

According to Polish firm Security Explorations, the update contains a bug that allows an attacker to bypass the JVM sandbox and exploit bugs the company had previously disclosed to Oracle in April. Security Explorations CEO Adam Gowdiak declined to share details of the bug, but said the company has notified Oracle. Oracle has told the company it is investigating, he said.

“We found and reported to Oracle a security issue that affects recently released patched Java version (7 Update 7, version that was released on Aug 30, 2012),” he told eWEEK in an email. “I cannot share more details about the nature of the new bug. [But] when combined with some of the Apr 2012 issues, this new issue can facilitate a successful code execution attack on latest Java SE 7 Update 7.”

The Java update, which was released Aug. 30, was prompted by widespread reports of attacks targeting CVE-2012-4681. Exploits for CVE-2012-4681 have been incorporated into a number of exploit kits, including Sweet Orange and Black Hole. According to Symantec, even the hackers behind the Nitro attack campaign uncovered last year targeting the chemical industry have thrown the vulnerability into the mix of their latest attacks.

It has become increasingly common for malware authors to exploit vulnerabilities in Java due to its ubiquitousness and the fact that it is often out-of-date in many organizations, blogged Graham Cluley, senior security consultant at Sophos. According to statistics from vulnerability management firm Rapid7, the patch rate among Java users is low, with just 35 percent of users applying patches within 90 days of an update’s availability.

“Cyber-criminals also love Java because it is multi-platform-capable of running on computers regardless of whether they are running Windows, Mac OS X or Linux,” Cluley blogged. “As a result it’s not unusual for us to see malicious hackers use Java as an integral part of their attack before serving up an OS-specific payload.”

Tod Beardsley, Metasploit engineer manager at Rapid7, said most people could disable Java and not notice the difference in their user experience because very few Websites rely on Java for dynamic content.

“It’s important to remember that this is certainly not the last 0-day we’ll see on Java,” he said. “It’s still advisable to keep Java browser plugins disabled except for sites that you know you need it on. Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer all allow for this kind of “whitelist” configuration. It’s still a good idea to keep your vulnerability profile low for the next time.”