Java 7 Patch Contains Critical Vulnerability

According to security researchers from Security Explorations, the Java 7 security update released Thursday contains a vulnerability that can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system.

Security Explorations sent a report about the vulnerability to Oracle on Friday together with a proof-of-concept exploit, Adam Gowdiak, the security company's founder and CEO said Friday via email. The company doesn't plan to release any technical details about the vulnerability publicly until Oracle addresses it, Gowdiak said.

According to Gowdiak, Security Explorations privately reported 29 vulnerabilities in Java 7 to Oracle back in April, including the two that are now actively exploited by attackers.  The new vulnerability discovered by Security Explorations in Java 7 Update 7 can be combined with some of the vulnerabilities left unpatched by Oracle to achieve a full JVM sandbox bypass again.

"Once we found that our complete Java sandbox bypass codes stopped working after the update was applied, we looked again at POC codes and started to think about the possible ways of how to fully break the latest Java update again," Gowdiak said. "A new idea came, it was verified and it turned out that this was it."

Based on the experience of Security Explorations researchers with hunting for Java vulnerabilities so far, Java 6 has better security than Java 7. "Java 7 was surprisingly much easier for us to break," Gowdiak said. "For Java 6, we didn't manage to achieve a full sandbox compromise, except for the issue discovered in Apple Quicktime for Java software."

The most recent security problems with Java are far from unique. Security firm Sophos, for example, blames underlying Java vulnerability for attacks by the Flashback malware last April that infected one out of five Macs.

The risks do not outweigh the rewards, security expert Dominique Karg, the founder and chief hacking officer of AlienVault, a security software company said. “I'd say 90 percent of users don't need Java anymore, I consider myself a ‘power user’ and the last and only time I realized I had Java installed on my Mac was when I had to update it.”

Most security researchers have said it before: If you don't need Java, uninstall it from your system. 

Frank Toscano is a 15+ year specialist in cloud based services focusing on Product Management, Marketing and Security within the Cloud. He has worked for EasyLink Services and Premiere Global Services in a global role providing hosted services to Fortune 1000 clients. He is currently seeking employment with a cloud based provider in a senior level Product/Marketing role.