New Java flaw identified; Old one exploited

Status
Not open for further replies.

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
A flaw identified in the latest version of Java allows for a complete bypass of the Java security sandbox, a security firm reported today. Meanwhile, a security hole recently fixed by Oracle is being targeted by attackers, underscoring the importance of installing patches quickly.

Source: ArsTechnica
 

softwareFREEk

Level 1
Verified
Dec 27, 2012
621
This is getting old: Java NEW zero-day vulnerabilities

Researchers from Polish firm Security Explorations have identified another serious vulnerability in Java 7. The experts say Java SE 7 Update 15 and all earlier versions are affected.

Adam Gowdiak, the CEO of Security Explorations, has told Softpedia that they’ve uncovered two security issues, which they’ve dubbed “issue 54” and “issue 55.”

When combined, the flaws can be leveraged to achieve a complete bypass of the Java security sandbox.

Oracle has been provided with the details of the newly uncovered bugs, but so far, it has only confirmed receiving the information. Most likely, the company will confirm the existence of the flaws in the upcoming days.

“Both new issues are specific to Java SE 7 only. They allow to abuse the Reflection API in a particularly interesting way,” Gowdiak noted. “Without going into further details, everything indicates that the ball is in Oracle's court. Again.”

The experts have tested their findings against the initial release of Java SE 7, Java SE 7 Update 11, and Java SE 7 Update 15, which is the version released a few days ago.

Oracle released its February Critical Patch Update (CPU) ahead of schedule. The CPU released on February 1 addressed a total of 50 Java vulnerabilities.

However, the company released an updated CPU on February 19 to fix an additional 5 security issues.

The next CPU is scheduled for April 16, but if experts discover that issue 54 and issue 55 are exploited in the wild, Oracle could release another out-of-band patch.

In the meantime, experts keep advising users to disable Java if they don’t need it for their everyday tasks. The new advisories come in light of the recent breaches reported by Facebook, Apple and Microsoft.

In all of these incidents, it’s believed that cybercriminals have leveraged a Java vulnerability to distribute malware onto the organizations' computers.

Source:
Read here
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top