Yet another Java flaw allows “complete” bypass of security sandbox

 Internet News, Tech News  228 Responses »
Sep 262012
 

Researchers have discovered a Java flaw that would let hackers bypass critical security measures in all recent versions of the software. The flaw was announced today by Security Explorations, the same team that recently found a security hole in Java SE 7 letting attackers take complete control of PCs. But this latest exploit affects Java SE 5, 6, and 7—the last eight years worth of Java software.

“The impact of this issue is critical—we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6, and 7,” Adam Gowdiak of Security Explorations wrote, claiming the hole puts “one billion users” at risk.

Gowdiak wrote that Security Explorations successfully pulled off the exploit on a fully patched Windows 7 32-bit computer in Firefox, Chrome, Internet Explorer, Opera, and Safari. Although testing was limited to Windows 7 32-bit, Gowdiak told Computerworld that the flaw would be exploitable on any machine with Java 5, 6, or 7 enabled (whether it’s Windows 7 64-bit, Mac OS X, Linux, or Solaris).

MOREYet another Java flaw allows “complete” bypass of security sandbox | Ars Technica.

 

Critical flaw under active attack prompts calls to disable Java

 Internet News, Tech News  551 Responses »
Aug 272012
 

A vulnerability in the latest version of Oracle’s Java software framework is under active attack, and the damage is likely to get worse thanks to the availability of reliable exploit code that works on a variety of browsers and computer platforms, security experts warn.

The flaw in Java version 1.7 was reported on Sunday afternoon by FireEye security researcher Atif Mushtaq. A separate post published on Monday by researchers Andre M. DiMino and Mila Parkour said the number of attacks, which appear to install the Poison Ivy Remote Access Trojan, were low. But they went on to note that the typical delay in issuing Java patches, combined with the circulation of exploit code, meant it was only a matter of time until the vulnerability is exploited more widely by other attackers.

Members of Rapid7, the security company that helps maintain the open-source Metasploit exploit framework used by penetration testers and hackers, said they have already developed an exploit that works against Windows 7. They are in the process of testing it against the Microsoft Internet Explorer, Mozilla Firefox, and Google Chrome browsers running on other operating systems, including Ubuntu Linux 10.04 and Windows XP. They went on to suggest that users should disable Java until a patch plugging the gaping hole is released.

“As a user, you should take this problem seriously, because there is currently no patch from Oracle,” a Rapid7 exploit developer wrote in a blog post. “For now, our recommendation is to completely disable Java until a fix is available.”

MORE:  Critical flaw under active attack prompts calls to disable Java | Ars Technica.