Java Continues To Be Incredibly Insecure

The hilarity continues: the recent Java update (meant to fix some serious zero-day flaws) has itself been broken.

Long story short: drop Java.

Sadly i2p and Freenet both run Java.

http://threatpost.com/en_us/blogs/latest-java-update-broken-two-new-sandbox-bypass-flaws-found-011813

“Expect the roar from security experts urging users to abandon Java to reach ear-splitting levels after reports this morning that new sandbox bypass vulnerabilities are present in the latest Java update.

“We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11,” Java security researcher Adam Gowdiak of Security Explorations in Poland wrote a short while ago on the Full Disclosure mailing list.

Gowdiak said his organization reported two new flaws to Oracle today, along with working proof-of-concept code, a single exploit that relies on two vulnerabilities. He told Threatpost he would not share any details on the vulnerabilities, but said Oracle did confirm it had received the information he sent and had begun looking into the problem.

Reports surfaced earlier this week that the Java 7u11 update was incomplete, and that a vulnerability in the Java MBeanInstantiator had not been patched as promised by Oracle when it released the update last Sunday night. Researcher Esteban Guillardoy of Immunity Inc., said that attackers could pair that vulnerability with the reflection API with recursion in order to bypass Java security checks. The reflection issue was corrected in 7u11; Guillardoy said attackers with enough working knowledge of Java could pair another vulnerability with the MBeanInstantiator bug and have a working exploit.

Gowdiak said the lack of a fix for the flaw inspired him to look for new issues.

“Leaving MBeanInstantiator issue unfixed was like an invitation to hack Java again. All that was required was to find another bug that could be combined with it,” Gowdiak said. “We have however decided not to rely on that unfixed bug and decided to find two completely new ones instead.”

Advertisements
%d bloggers like this: