New Java vulnerability in Java 5/6/7 bypasses Java security sandbox, affects 1 billion users worldwide

Is it open season on Java? Or has the season for Java never ended? Who knows. I do know, however, that yet another vulnerability has been discovered in Java. This time the vulnerability affects Java 5, Java 6, and Java 7, meaning roughly one billion users around the world are vulnerable.

Security Explorations, the Polish security firm that discovered the two Java vulnerabilities mentioned a few weeks ago, is reporting yet another bug in Java. This new bug allows for a “complete Java security sandbox bypass”. That means the bug completely ignores Java’s built-in sandbox, the security feature of Java that is intended to prevent the execution of code outside of Java. As Adam Gowdiak, CEO of Security Explorations, told ComputerWorld, this vulnerability allows “an attacker [to] install programs, view, change, or delete data with the privileges of a logged-on user”. In other words, the access this bug gives to hackers is only limited by their imagination.

Gowdiak says this bug has been tested on Windows 7 but affects all platforms (Windows, Mac OS X, Linux, and Solaris) that run Java 5/6/7. Having the latest updated version of Java does not protect you; at the time of this writing, the latest versions of Java (Java SE 5 Update 22, Java SE 6 Update 35, and Java SE 7 Update 7) are all vulnerable. That means all major browsers, including Chrome, Firefox, Opera, Internet Explorer, and Safari, are not safe if Java plugins are installed.

There are no reports of in-the-wild attacks exploiting this new bug, yet.

Oracle has yet to respond to reports of this new vulnerability. Until and unless Oracle responds to the reports, the earliest likely patch for this bug will happen on October 16, 2012, the date for regularly scheduled Java updates.

For past vulnerabilities, dotTech and experts recommended to at least disable Java in your browser if you can’t uninstall it completely. Seeing as this vulnerability is even more dangerous than previous ones, the same advice applies: if you cannot uninstall Java from your computer altogether (because you may need it to run a program), at least disable it in your browser. If you are not sure how to uninstall or disable Java, read the following guides by dotTech:

Oh Java what will we do with you.

[via ComputerWorld, Security Explorations]

Related Posts

  • Peter

    Huh?? Java 5? Whow uses that any more?

    Any information if
    C:\Users\Peter>java -version
    java version “1.8.0-ea”
    Java(TM) SE Runtime Environment (build 1.8.0-ea-b57)
    Java HotSpot(TM) 64-Bit Server VM (build 24.0-b22, mixed mode)

    is secure?

  • AFPhys

    Yet again, I would like to recommend the FireFox (and maybe other browser) add-on called QuickJava.

    It creates a row of buttons on the lower bar to enable/disable Java,Javascript,Silverlight,Flash,CSS, and some other options.

    I have had Java disabled for the last few weeks, and have never enabled SilverLight. On some sites, it really helps me to disable their CSS to get rid of garbage features that annoy me (silly flags and click on garbage to view page underneath).

    Very worthwhile addon and especially useful with these newfound Java vulnerabilities.

  • sl0j0n

    Hello, all.
    IF you want to un-install Java an Windoz, get JavaRa.
    Does a GREAT job, and its freeware, too.
    BTW, does anyone here know, if there’s any truth to the rumor,
    that companies, like Oracle, are being black-mailed by some “security firms”,
    to pay off them off, to prevent publication of their ‘security’ holes?
    Just wondering about that.
    Seems I heard something like that, a while back.

    Have a GREAT day, neighbors!