Oracle has updated Java 7 to address the zero-day exploit found to be abused in the wild. We’ve reached out to researchers from Security Explorations to find out if update 11 properly addresses the vulnerabilities.
Adam Gowdiak, the CEO of Security Explorations, has told Softpedia that Oracle has addressed the flaw in the Reflection API. This is basically the vulnerability that the security firm reported to Oracle back in August 2012.
The vulnerability was partly addressed back in October and this latest update fixes what was missed back then.
“It's disappointing to see Oracle not having the courage to admit to the fault with the previous patch (no association to Issue 32 in Oracle's Security Alert),” Gowdiak told us in an email.
“We stand in whole by the claims that we've made recently. The 0-day attack code (in the form found in the wild) would not be possible if Issue 32 had been correctly resolved by Oracle in Oct 2012 Java SE CPU,” he added.
On the other hand, the second vulnerability leveraged by the latest exploit, the one related to obtaining references to restricted classes (MBeanInstantiator bug) was not addressed. Fortunately, this bug alone cannot be exploited by cybercriminals.
“Alone, it is not worth much. It needs another (new) vulnerability similar to the one patched in new Reflection API that would allow attackers to actually play with the restricted classes (attacker needs some way to obtain and call its methods in particular),” the expert explained.
Gowdiak advises users to keep in mind that the vulnerability that affects Java 5, 6 and 7 (the one dubbed “issue 50”) is still unaddressed.
Researchers from security firm Sophos have highlighted the fact that the vulnerabilities fixed in update 11 don’t apply to standalone Java applications or server-side Java installs. Instead, they apply only to applets that run inside the web browser.
“There were some vectors such as Java RMI (Remote Method Invocation) which could be abused to run malicious Java code on servers. We are however not sure if they are still valid,” Gowdiak noted.
“We mentioned a possibility to attack server with the use of security bugs in Java in our materials disclosing SE-2012-01 project.”