- dotTech - http://dottech.org -

Latest version of Java (7u11) is still vulnerable, Oracle issued an incomplete patch according to experts

java_image [1]

Something surprising happened last week. Oracle issued an update (Java 7u11, Java 6u37, Java 5u38, and Java 4u40) [2] in just three days to patch a recently discovered and massively exploited Java vulnerability [3]. And over the weekend, too. As it turns out, Oracle didn’t do a very good job. (Is anyone surprised?)

According to two security firms, Trend Micro and Immunity Inc., the most recently discovered Java exploit (the one that hit the headlines on Jan 10) was due to two vulnerabilities in Java. The most recent patch issued by Oracle on Jan 14 (Java 7u11, Java 6u37, Java 5u38, and Java 4u40) patched only one of the vulnerabilities. Both firms independently came to this conclusion (meaning they both studied the patch and figured this out)

It isn’t entirely clear what type of exploits can be achieved with just one of the vulnerabilities seeing as the original exploit required both. However, it looks as if Oracle issued an incomplete patch. To make matters worse, it is being reported that this still-unpatched vulnerability is being sold for $5,000 in underground criminal forums. So if this unpatched-vulnerability does not allow significant exploits yet, it likely will soon once crackers have a chance to play around with it.

Aside from that, Adam Gowdiak, CEO of Poland-based Security Explorations, says his firm has discovered that Java 7u11 is still vulnerable to a “complete Java security sandbox bypass”:

We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 [1] (JRE version 1.7.0_11-b21).

Two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today [4] (along with a working Proof of Concept code).

The good news (if you can call it good news) is the vulnerability discovered by Gowdiak requires users to explicitly run an infected Java applet. In other words, in the recent Java 7u11 patch, Oracle made a change that required users to explicitly give permission to run any unsigned or self-signed Java applets (i.e. users have to click ‘OK’ to run a Java applet that doesn’t have a valid security certificate). The vulnerability Gowdiak and co discovered cannot bypass this new security feature by Oracle. However, once a user runs the Java applet, then there is nothing stopping the exploit.

To be clear, the vulnerability discovered by Gowdiak and co affects only Java 7. The still unpatched vulnerability pointed out by Trend Micro and Immunity Inc. affects Java 7, 6, 5, and 4. It isn’t entirely clear if this is for Windows only or Mac and Linux, too.

…Yep. Still open season on Java. If you haven’t done so already, you probably want to disable or uninstall Java. See the links below to learn how.

[via ArsTechnica [6], Security Explorations [7], image via HowToGeek [8]]