Another Java Zero Day

Tuesday, February 26, 2013 @ 04:02 PM gHale


There is another vulnerability with Java SE 7 Update 15, and all earlier versions suffer from the issue, security researchers said.

Adam Gowdiak, chief executive of security firm, Security Explorations, said they uncovered two security issues.

RELATED STORIES
Microsoft Victim of Attack
Developer Site Zero Day Attack Source
Hiding Code into JavaScript
Adobe Mitigation Plan for Zero Day

When combined, an attacker could use the flaws to achieve a complete bypass of the Java security sandbox.

Oracle has the details of the newly uncovered bugs, but so far, it has only confirmed receiving the information.

“Both new issues are specific to Java SE 7 only. They allow (an attacker) to abuse the Reflection API in a particularly interesting way,” Gowdiak said.

The experts have tested their findings against the initial release of Java SE 7, Java SE 7 Update 11, and Java SE 7 Update 15, which is the version released a few days ago.

Oracle released its February Critical Patch Update (CPU) ahead of schedule. The CPU released on February 1 addressed a total of 50 Java vulnerabilities.

However, the company released an updated CPU on February 19 to fix an additional 5 security issues.

The next CPU should come out April 16, but if these news vulnerabilities suffer exploits, then Oracle may release another out-of-band patch.

In the meantime, experts keep advising users to disable Java if they don’t need it for their everyday tasks.



Leave a Reply

You must be logged in to post a comment.