New vulnerability is found in latest Java 7u7, your computer can be remotely hijacked… again…

Yesterday Oracle released an update to Java 7 (Java 7u7 update) that fixed nineteen critical vulnerabilities, two of which were exploited by in-the-wild attacks that installed malware on infected machines. It took Oracles four months to patch the just-mentioned vulnerabilities; it took security researchers less than 24 hours to find a new exploit in Java 7u7.

According to Adam Gowdiak of Poland-based Security Explorations (the same people who reported the previous Java 7u6 vulnerability to Oracle four months ago), this new Java 7u7 exploit allows scumbags to take complete control of infected machines; it “facilitates full Java sandbox bypass on latest Java 7 Update 7”. To make matters worse, the attack vectors are now websites and e-mails.

Gowdiak says he is not releasing public details of the exploit for fear of abuse by scumbags but he does say his company has put together proof-of-concepts and sent them to Oracle. It isn’t entirely clear what operating systems this new exploit affects but, seeing as Java is cross-platform, it likely affects Windows, Mac OS X, and Linux.

On the bright side, there haven’t been any reports of this vulnerability being used in-the-wild (yet). However, it took Gowdiak and his team “about 2-3 hours” to find the new vulnerability while they tried “to fix the proof-of-concept codes that stopped working after applying the recent Java patch”. So, even though Gowdiak has not released details of this exploit it is conceivable that other people can discover this new exploit on their own and start using it if they want to badly enough.

Oracle has not responded to this semi-new development and has not issued any patch. People that want to be protected from this exploit should preferably completely uninstall Java or, at the least, disable Java in browsers. Gowdiak claims this new vulnerability was achieved by combining “some of the April 2012 issues” and reports of the earlier vulnerabilities said it didn’t affect Java 6. So, while unconfirmed, it is conceivable that Java 6u35 may be unaffected by this new vulnerability, so grab that if you must absolutely have Java.

[Thx Godel, via ArsTechnica | Image via satanoid]

Related Posts

  • Eric989

    @Ashraf: I think I have figured out the Firefox hiding of http problem with partial links. If you copy the entire link it works fine. If you click in the middle and drag to select everything to the left, it still works fine. However, if you edit what is in the address bar at all, even by removing just the / at the end, you will not be able to copy over the http part. If you need a partial link you have to just click to the right of where you want to end and drag all the way to the left. You must resist the urge to manually delete the part of the link you don’t want. This explains why my experiences with it have always been inconsistent. I just figured this out a few minutes ago. Hopefully this works for everyone else, too.

  • Wow! Oracle…not feeling like one much these days.

    Guess that is why a lot of new computer builds DON’T include JAVA anymore.


    Wondering how long will it be before the apps on my TV and/or DVD Player and/or Media Box get cracked and poisoned. It’s a matter of time.

  • Ashraf

    @Eric: Glad I could be of service :-)

  • Eric

    But if Firefox updated like Java used to, my hard drive would be full with Firefox 3.6 through 3.6.518Trillion! Java used to not even erase copies within the same version number but this seems to have changed.

  • Eric

    Thanks for reminding me about that link. I should have said Mozilla make it hard, Ashraf make it easy! Up to this point I have always just used portable versions or clones like Pale Moon, Comodo Ice Dragon, CometBird, and some other outdated ones.

    I have had the same trouble with the http:// but right now it seems to be working on partial links in FF15.

  • Ashraf

    @Eric: See
    @Jyo: Bah, this is why I hate how Firefox hides http:// — it doesn’t copy over http:// when copying a partial link…

  • Jyo

    @Ashraf: Uhmm, you might wanna fix the Ars Technica source link. Easter Egg?!

  • Jyo

    @Eric: The last sentence in your comment made me LOL. So true, so true..

  • Eric

    Unfortunately installing Java 6 will not uninstall Java 7. You will have to remember to uninstall Java 7 as well. Java has always been bad about this. I think I have seen 10 or more versions of Java installed on a single machine before. I only wish Firefox made it that easy to install multiple versions of their browser.