Java Still Has Vulnerabilities

  • Three security holes
  • Emergency patch Java 7 Update 11
  • Recent version of Java SE7 code

Security Explorations researcher Adam Gowdiak claimed that his team had discovered three security holes in Java's latest version, which Oracle’s latest sweep may have missed.

  • Three security holes
  • Emergency patch Java 7 Update 11
  • Recent version of Java SE7 code

Security Explorations researcher Adam Gowdiak claimed that his team had discovered three security holes in Java's latest version, which Oracle’s latest sweep may have missed.

According to Gowdiak, one of the security risks manifests as the same problem for which Oracle recently released emergency patch Java 7 Update 11. The vulnerability allows clever hackers to gain a "complete Java security sandbox bypass", a persisting problem that prompted the U.S. Department of Homeland Security to recommend disabling the software temporarily.

Security Explorations also found two new security flaws in "recent version of Java SE7 code," which it has submitted to Oracle for review, and hopefully for a fix.

According to the researchers at Security Explorations, the exploiter group Immunity is one of their sources in discovering the still-vulnerable portion of Java code after the patch was issued. A quick browse through Immunity's findings shows that the remaining flaw is predicated on the signing of a Java applet and that the flaw is not present in Java 6, which has been confirmed by Oracle. Because of the prompt added by the Java 7 Update 11, a portion of the initial security hole has been filled and unsigned applets can no longer gain access by that method.

If the new holes discovered by Gowdiak and team are legitimate threats, it may be advisable to keep Java disabled for browsers until Oracle responds with another, more complete fix.

Leave a Reply