Researchers from Polish firm Security Explorations – the ones who were the first to report the vulnerabilities which led to the now-infamous Java zero-day – have just reported another similar bug to Oracle. This means that Java users are still exposed, even if they’ve applied the patch released by the company.
“The out-of-band patch released by Oracle yesterday, among other things fixed the exploitation vector with the use of SunToolkit class, the one we used in our proof of concept codes. This made many of them not working...Till today,” Adam Gowdiak, founder and CEO of Security Explorations, told Softpedia via email.
“When combined with some of the Apr 2012 issues, the new issue (number 32) reported to Oracle today allows to achieve a complete JVM sandbox bypass in the environment of latest Java SE 7 Update 7 (version that was released on Aug 30, 2012).
“What this means is that Java 7 users are still at risk from being exploited and the issues we reported to Oracle need to be addressed,” he added.
Unfortunately, this means that we have to advise everyone once again to disable the Java component to ensure that cybercriminals can’t breach their computers.
Here’s what the expert recommended when the world first learned of the Java zero-day. Considering the new discovery, the same advice applies.
“Disable Java in your web browser (or system) and wait for patches from Oracle. Alternatively, uninstall Java completely from the system if not in a need of it,” Gowdiak said.
We have made small advisories for Internet Explorer and Mozilla Firefox users on how to disable the buggy component. The deactivation process in Firefox is fairly easy, but it’s a bit more tricky for Internet Explorer.
It’s uncertain at this point if cybercriminals are aware of this vulnerability, but hopefully they’re not. It will remain to be seen if Oracle can issue another out-of-band patch for this security hole as well, or if it will attempt to address it only in the next CPU.