One Billion Users Affected by Java Security Sandbox Bypass Vulnerability, Experts Say

Security Explorations identifies an issue that affects Java SE 5, 6 and 7

  Security Explorations identifies new flaw in Oracle Java
Researchers from Security Explorations are experts when it comes to finding critical vulnerabilities in Java. They claim to have identified another flaw that affects all Oracle Java SE versions and the nearly one billion desktop computers on which the software is currently installed.

Researchers from Security Explorations are experts when it comes to finding critical vulnerabilities in Java. They claim to have identified another flaw that affects all Oracle Java SE versions and the nearly one billion desktop computers on which the software is currently installed.

This bug, codenamed issue 50, has been identified just before the start of Oracle’s JavaOne 2012 conference that will take place in San Francisco.

“The impact of this issue is critical - we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7,” Adam Gowdiak, CEO of Security Explorations, told Softpedia via email.

“So far, we could only claim such an impact with reference to Java 7 environment (the Apple QuickTime attack relying on Issues 15 and 22 is the only exception here).”

According to Gowdiak, the vulnerability can be leveraged by an attacker to “violate a fundamental security constraint” of Java Virtual Machines.

The researchers have confirmed that Java SE 5 – Update 22, Java SE 6 – Update 35, and Java SE 7 Update 7 running on fully patched Windows 7 32-bit operating systems are susceptible to the attack.

The affected web browsers are Safari 5.1.7, Opera 12.02, Chrome 21.0.1180.89, Firefox 15.0.1, and Internet Explorer 9.0.8112.16421.

The company has provided Oracle with a complete technical description of the flaw, along with source and binary codes, and a proof of concept that demonstrates the complete security sandbox bypass in Java SE 5, 6 and 7.

“We hope that a news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not gonna spoil the taste of Larry Ellison's morning...Java,” the CEO concluded.

Now, it remains to be seen if Oracle will be able to address this issue by the time the October CPU is released.

2 Comments