New Java vulnerability in Java 5/6/7 bypasses Java security sandbox, affects 1 billion users worldwide

Is it open season on Java? Or has the season for Java never ended? Who knows. I do know, however, that yet another vulnerability has been discovered in Java. This time the vulnerability affects Java 5, Java 6, and Java 7, meaning roughly one billion users around the world are vulnerable.

Security Explorations, the Polish security firm that discovered the two Java vulnerabilities mentioned a few weeks ago, is reporting yet another bug in Java. This new bug allows for a “complete Java security sandbox bypass”. That means the bug completely ignores Java’s built-in sandbox, the security feature of Java that is intended to prevent the execution of code outside of Java. As Adam Gowdiak, CEO of Security Explorations, told ComputerWorld, this vulnerability allows “an attacker [to] install programs, view, change, or delete data with the privileges of a logged-on user”. In other words, the access this bug gives to hackers is only limited by their imagination.

Gowdiak says this bug has been tested on Windows 7 but affects all platforms (Windows, Mac OS X, Linux, and Solaris) that run Java 5/6/7. Having the latest updated version of Java does not protect you; at the time of this writing, the latest versions of Java (Java SE 5 Update 22, Java SE 6 Update 35, and Java SE 7 Update 7) are all vulnerable. That means all major browsers, including Chrome, Firefox, Opera, Internet Explorer, and Safari, are not safe if Java plugins are installed.

There are no reports of in-the-wild attacks exploiting this new bug, yet.

Oracle has yet to respond to reports of this new vulnerability. Until and unless Oracle responds to the reports, the earliest likely patch for this bug will happen on October 16, 2012, the date for regularly scheduled Java updates.

For past vulnerabilities, dotTech and experts recommended to at least disable Java in your browser if you can’t uninstall it completely. Seeing as this vulnerability is even more dangerous than previous ones, the same advice applies: if you cannot uninstall Java from your computer altogether (because you may need it to run a program), at least disable it in your browser. If you are not sure how to uninstall or disable Java, read the following guides by dotTech:

Oh Java what will we do with you.

[via ComputerWorld, Security Explorations]

Related Posts