Oracle's Latest Java Update Comes With Security Holes, Researchers Say

Security Explorations has found two bugs in the latest version of Java that can be combined to bypass its sandbox—a finding that comes on the heels of reports earlier this week that Oracle's recent update did not fully address a security flaw.

Security researchers have found new bugs in Oracle's recent Java update, capping a rough week in security news for Java users.

Adam Gowdiak, CEO of Security Explorations, noted in a post to the Full Disclosure mailing list today that there are two bugs that can be combined to bypass the sandbox protection in the latest version of Java, which was updated Jan. 13. The disclosure follows a finding by vulnerability research firm Immunity that the Java update failed to patch a bug in the Java MbeanServerInterceptor.

"The patch did stop the exploit, fixing one of its components," blogged Esteban Guillardoy, a security researcher with Immunity, who noted that the update successfully patched a recursive reflection vulnerability. "But an attacker with enough knowledge of the Java code base and the help of another zero day bug to replace the one fixed can easily continue compromising users. (Assuming they now use a signed Java applet—one of the other changes introduced in this patch.)"

The MbeanServerInterceptor bug is separate from the bugs Security Explorations found, Gowdiak told eWEEK. Oracle did not respond to a request for comment before publication. However, Gowdiak said Oracle has been in contact with the company and has issued tracking numbers for each issue.

Oracle pushed out an emergency patch last weekend because of ongoing attacks targeting CVE-2013-0422 in the wild. This bug had already made its way into some of the most popular attack kits in the cyber-underground, including Blackhole.

"Although there is no doubt that 7u11 patch was incomplete, we have to keep in mind that it was released under duress and did help with the immediate problem of consumers being compromised," said HD Moore, chief security officer of Rapid7. "My assumption is that Oracle is working hard behind the scenes to find a better solution to this problem, but given the complexity of the issue and requirements with backwards compatibility it may be awhile before this class of flaws is finally put to rest."

The Java applet security model has not kept up with browser-based threats, he added. In an era where sandboxing at the process level has become common—such as with Adobe Reader and Google Chrome—Java continues to enforce all security at the interpreter level.

“Notwithstanding sandbox escapes, the capabilities available to a Java applet still exceed what comparable plugin technologies allow," Moore said. "Java has a ridiculous amount of functionality and has to contend with backwards compatibility issues to boot. The recent vulnerability involving the JMXBeanServer class is a great example of a Java applet being able to access a class it really has no business using in the first place."

"If Oracle wants Java to be successful within the browser they will need to make serious investments into the security model and their ability to respond quickly to new threats," he added.

While some in the security community have called for administrators to take a hard line and disable Java, Gowdiak acknowledged that that may not be possible.

"The admins should take proper actions aimed at mitigating the risk related with the existing and confirmed vulnerabilities in Java SE 7," Gowdiak said. "Disabling Java is the obvious choice, but in some environments that solution might be impossible to adopt. In such environments, some form of a Click To Play technology should be considered as an alternative solution."