It appears that the latest version of Java is just as vulnerable as all the rest. On Monday, Security Explorations, the Polish security firm responsible for identifying the majority of the latest Java security holes, sent Oracle yet another vulnerability notice, including proof of concept code for five new flaws. Oracle confirmed it received the report today and has begun investigating.
We got in touch with Security Explorations to confirm it’s not all bad news. The vulnerabilities need to be linked together to bypass Java’s security checks, and that this particular set isn’t yet being used by attackers to the company’s knowledge.
F**k it, we'll do it live!
Our biggest ever edition of TNW Conference is fast approaching! Join 10,000 tech leaders this May in Amsterdam.
“The issues need to be combined together to achieve a complete Java security sandbox bypass,” Security Explorations CEO Adam Gowdiak told TNW. “This attack technique is quite common in a Java security world. Separately, none of the issues leads to any major security breach. We have no information that any of these issues were being exploited in the wild.”
The latest discoveries follow news from last week that at least three 0-day vulnerabilities were found in the company’s software, and at least one is actively being exploited. “0-day” or “zero-day” refers to a security hole that has not been publicly disclosed yet, and so doesn’t have a patch available.
The first two were also found by Security Explorations and disclosed to Oracle on February 25. Two days later, Oracle declared the first alleged issue was not a vulnerability but confirmed the second issue. Security Explorations disagreed with Oracle’s assessment regarding the first issue and Oracle agreed to investigate again after receiving further examples.
The vulnerability already being exploited was discovered by security firm FireEye, which said it had already been used “to attack multiple customers.” The company has found that the flaw can be exploited successfully in browsers that have Java v1.6 Update 41 or Java v1.7 Update 15 installed.
Oracle pushed out the two updates on February 19, addressing five security fixes. This was a scheduled release, but it succeeded a previous emergency update that addressed 50 vulnerabilities. In February, Java exploits have resulted in computers being compromised at multiple companies, including Apple, Facebook, and Microsoft.
Since at least one of these eight flaws is already being exploited in the wild, we recommend that regardless of what browser and operating system you are using, you should uninstall Java if you don’t need it. If you do need it, disable Java in your default browser, use a second browser when Java is required, and set your Java security settings to “High” so that it prompts you before loading an applet.
Image credit: Peter Kaminski