Researchers from the Polish firm Security Explorations have identified two new vulnerabilities in the latest version of Java, which was released just this week to address two other security holes. The bad news is that these new flaws can be exploited (together) to achieve a complete sandbox bypass in Java 7 Update 11. The good news is that the latest version’s increased security level for Java applets is working as expected, and there are no indications of attacks (yet).

The latest information comes from a short Full Disclosure post by Security Explorations CEO Adam Gowdiak: “We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 [1] (JRE version 1.7.0_11-b21).” We spoke with Gowdiak over email and he confirmed Oracle received his company’s vulnerability report on Friday.

“It contained technical information about identified security issues,” Gowdiak told TNW. “We have also provided the company with a Proof of Concept code successfully demonstrating a complete sandbox bypass under Java SE 7 Update 11.”

He also pointed me to the current status on his company’s page:

  • Vulnerability Notice along with a Proof of Concept code are sent to Oracle corporation (Issues 51 and 52).
  • Oracle confirms successful reception and decryption of the vulnerability report. The company informs that it will investigate based on the data provided and get back to us soon.
  • Oracle provides tracking numbers for Issues 51 and 52.

Again, there is some good news to note here. First of all, as we noted when Java 7 Update 11 was released, Oracle changed the default Java Security Level setting from Medium to High, meaning the user is now always prompted before any unsigned Java applet or Java Web Start application is run. This is to prevent drive-by-downloads, as Oracle explains:

This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the “High” setting the user is always warned before any unsigned application is run to prevent silent exploitation.

I’m rather happy to note that Gowdiak says this new protective layer, available only on Microsoft’s operating system, is working. “What’s worth noting is that on Windows, the exploit code requires the user to agree to launch untrusted Java content,” he told TNW. “This could serve as a blocker for many attacks.”

Indeed, while this is unlikely to stop ignorant users as many will likely accept the content in question, it will significantly cut down on all those being infected in the background. The other nugget of good news is that Gowdiak’s team is “not aware of these issues being known to the public or being exploited in the wild.”

The news comes hot on the heels that Java exploit code was being sold in the Underweb. Unfortunately, it’s impossible to tell if these are the same vulnerabilities as the ones discovered by Security Explorations. Either way, Oracle has to step up its game, and so far it looks like it has. Now let’s see how long it takes for Update 12 to be released.

We have contacted Oracle for more information. We will update this article if we hear back.

Image credit: Armin Hanisch