New Java Flaw Affects 1 Billion

Wednesday, September 26, 2012 @ 04:09 PM gHale

There is another Java flaw that affects all Oracle Java SE versions and the nearly one billion desktop computers that installed the software, researchers said.

Researchers found the bug, codenamed issue 50, just before the start of Oracle’s JavaOne 2012 conference that will take place in San Francisco, Security Explorations officials said.

RELATED STORIES
Blackhole Updates Product Offering
Oracle Patches Java Zero Day
Second Hole in Java Zero Day
Unpatched Java Attacks Starting

“The impact of this issue is critical — we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7,” said Adam Gowdiak, chief executive at Security Explorations.

“So far, we could only claim such an impact with reference to Java 7 environment (the Apple QuickTime attack relying on Issues 15 and 22 is the only exception here).”

The vulnerability can be leveraged by an attacker to “violate a fundamental security constraint” of Java Virtual Machines, Gowdiak said.

The researchers confirmed Java SE 5 – Update 22, Java SE 6 – Update 35, and Java SE 7 Update 7 running on fully patched Windows 7 32-bit operating systems are susceptible to the attack.

The affected web browsers are Safari 5.1.7, Opera 12.02, Chrome 21.0.1180.89, Firefox 15.0.1, and Internet Explorer 9.0.8112.16421.

The company provided Oracle with a complete technical description of the flaw, along with source and binary codes, and a proof of concept that demonstrates the complete security sandbox bypass in Java SE 5, 6 and 7.



Leave a Reply

You must be logged in to post a comment.