Researchers from the Polish firm Security Explorations have identified a serious vulnerability in the latest version of Java that completely bypasses the new security level Oracle recently introduced for Java applets. Coupled with the two other vulnerabilities discovered by the same firm less than two weeks ago, Java users are once again as vulnerable as they were before the latest update.
Some background is required. As we noted when Java 7 Update 11 was released, Oracle changed the default Java Security Level setting from Medium to High, meaning the user is now always prompted before any unsigned Java applet or Java Web Start application is run. This is to prevent drive-by-downloads, as Oracle explains:
This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the “High” setting the user is always warned before any unsigned application is run to prevent silent exploitation.
When the last two Java vulnerabilities were discovered, Security Explorations CEO Adam Gowdiak told us that the new protective layer, available only on Microsoft’s operating system, was working as expected. Yet Gowdiak recently discovered a way to circumvent the protection, according to a Full Disclosure post he made last night:
What we found out and what is a subject of a new security vulnerability (Issue 53) is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings described above. Our Proof of Concept code that illustrates Issue 53 has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with “Very High” Java Control Panel security settings.
That said, recently made security “improvements” to Java SE 7 software don’t prevent silent exploits at all. Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit.
The click-to-play functionality Gowdiak is referring to was introduced in Firefox 17. When the latest Java vulnerability craziness happened earlier this month, Mozilla added all recent versions of Java to its Firefox add-on blocklist and Apple did the same to protect Mac users.
Unfortunately, that was before the release of Java 7 Update 11. With these latest vulnerabilities, all Java users are just as vulnerable as before. The only good news here is that there have yet to be reports of exploits in the wild for these latest security holes.
Unfortunately, only then will we see action from Oracle, as well as companies like Apple and Mozilla looking to protect their customers. We’re hoping Oracle can get Java 7 Update 12 out before history repeats itself once again.
We have contacted Oracle about this latest discovery. We will update this article if we hear back.
Image credit: Sander Klaver