04 Sep 2012

Critical Vulnerability in Fresh Java 7 Patch

A security company based in Poland has pointed out a vulnerability in the recently released Java 7 security fix. This vulnerability can allegedly be used to avoid Java sandbox to execute unauthorized code on the compromised computer.

Adam Gowdiak, founder and CEO of Security Exploitations, sent Oracle a report with details about the new vulnerability along with a proof-of-concept exploit. Gowdiak said his company will not reveal publicly any technical detail about this new security hazard until Oracle has mended the problem.

Last Thursday, Oracle released an emergency fix for the controversial CVE-2012-4681 vulnerability and two others in Java 7 running in web browsers on desktops. Apparently this Java Update also patched a “security-in-depth issue” that is not exploitable in direct attack, but could be used to worsen the end result of the exploitation of other vulnerabilities.

Security Exploitations reported 29 vulnerabilities in Java 7 to Oracle back in April, along with 16 proof-of-concept exploits that could bypass Java sandbox and execute arbitrary code on the systems. The security company saw that by patching the “security-in-depth issue,” Oracle managed to disable all proof-of-concept exploits pointed out by them in the spring, leading them to believe the patch didn’t mend the vulnerabilities but merely destroy the exploitation vector. 

“Once we found that our complete Java sandbox bypass codes stopped working after the update was applied, we looked again at POC codes and started to think about the possible ways of how to fully break the latest Java update again," Gowdiak declared for PCWorld. "A new idea came, it was verified and it turned out that this was it."

This new vulnerability, combined with other still unpatched ones, can once again lead to JVM sandbox bypass and unauthorized code execution on the victims’ system. The whole security community now awaits a new security patch to protect users from further exploitation. Meanwhile everyone using Java is advised to uninstall in from their systems.