Experts Find Sandbox Bypass Vulnerability in Java 7 Update 25

The attack method has been known for over ten years, yet it hasn't been addressed

Security researchers from Polish company Security Explorations say they’ve identified a critical vulnerability that affects Java 7 Update 25 and previous versions.

According to the company’s CEO, Adam Gowdiak, the vulnerability, dubbed “issue 69,” can be exploited via a “very classic attack” for a complete Java sandbox bypass.

What’s interesting about the attack is that it’s not new. Experts say the attack method has been known for over 10 years and it should have been mitigated with the Reflection API introduced to Java SE 7.

“It's one of those risks one should protect against in the first place when new features are added to Java at the core VM level,” Gowdiak noted in an email sent to Softpedia.

The expert points to a recent blog post in which Oracle representatives claim that maintaining the security-worthiness of Java has been among the company’s top priorities after the acquisition of Sun Microsystems.

“If Oracle had any Software Security Assurance procedures adopted for Java SE, most of simple Reflection API flaws along with a known, 10+ years old attack should have been eliminated prior to Java SE 7 release,” he explained.

“This didn't happen, thus it is reasonable to assume that Oracle's security policies and procedures are either not worth much or their implementation is far from perfect.”

The details of the vulnerability and a working proof-of-concept have been submitted to Oracle.

In addition to reporting this flaw, Security Explorations has published the technical details and POC codes for previously identified Java issues that have been addressed by Oracle and IBM.

The details have been published for “issue 61,” which Oracle fixed in the June 2013 Java SE CPU, and POCs for nine IBM Java vulnerabilities addressed in early July 2013.

Security Explorations has also published information and some comments on the CVE numbers assigned by Oracle to issues reported by the company as part of its SE-2012-01 project.

Hot right now  ·  Latest news