Oracle's Java exploit patch still leaves vulnerabilities

The Java 7 update released on Aug. 30 has a hole that allows attackers to exploit the Java virtual machine (JVM) (the part of the software platform that executes code) and disable the sandbox, according to Security Explorations CEO Adam Gowdiak.

"Today we sent a security vulnerability report along with a Proof of Concept code to Oracle," said Gowdiak in a user group posting.

"The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (Version 7 Update 7, released on Aug 30, 2012). The reason for it is a new security issue that made exploitation of some of our not-yet-addressed bugs possible to exploit again."

There are, he said, 25 issues, which Oracle will patch in the Oct. 2012 and Mar. 2013 Java critical patch updates, which follow a quarterly release cycle.

The patch was previously verified by several researchers as being successful at disabling the most recent zero-day Java exploit, and Gowdiak did say that it addresses many exploit vectors. Those include the ClassFinder/MethodFinder bugs and the use of the sun.awt.SunToolkit class and the getField and getMethod methods of implementation.

"Cyber-criminals…love Java because it is multi-platform—capable of running on computers regardless of whether they are running Windows, Mac OS X or Linux," said Graham Cluley, senior security consultant at Sophos. "As a result, it's not unusual for us to see malicious hackers use Java as an integral part of their attack before serving up an OS-specific payload."

The most recent Java zero-day vulnerability was discovered in the wild last week, and mushroomed after being added to the BlackHole toolkit for cybercriminals. Malware trackers said that it became responsible for tens of thousands of new infected machines in just a day and a half. Almost all of the domains were hosting multiple exploits.

Many experts advise that enterprises disable Java plug-ins from all installed browsers until Oracle issues a full patch – a move that is unlikely to affect the end user experience.

What’s hot on Infosecurity Magazine?