A couple of days ago, we learned that researchers from Polish firm Security Explorations had uncovered two Java 7 Update 15 vulnerabilities that could be leveraged for a complete sandbox bypass. Oracle has assigned tracking numbers to the flaws, but it still hasn't confirmed the experts’ findings.“It looks Oracle avoids confirming the issues. On one hand they sent us tracking numbers (they were usually sent when issues were confirmed),” Security Explorations CEO Adam Gowdiak told us in an email.
He added, “However, in the same message the company stated that if the issues are confirmed as vulnerabilities we will receive monthly updates from them. That's quite unclear message to us.”
According to the company’s status page, Oracle has been asked if it needs any assistance in running the proof-of-concept, or if it requires confirmation from a third party, such as US-CERT.
However, Gowdiak says that running the POC and verifying the existence of the vulnerabilities is not a difficult task.
“All one needs to confirm the newly reported issues is to find a desktop system with Java enabled in the browser and run the Proof of Concept code on it. That's basically a 10 min. job (unless Oracle uninstalled Java from all their systems due to security concerns),” Gowdiak noted.
The expert also highlights the fact that they’re 100% confident of their claims.
“Our Proof of Concept code creates a file and spawns notepad.exe in the environment of Java 7 Update 15. This speaks for itself,” he said.
Recently, Oracle representatives have promised to clean up their act when it comes to security and try to address bugs faster than they have so far. The first move came on February 1, when they released their February Critical Patch Update (CPU) ahead of schedule to address a total of 50 Java vulnerabilities.
However, judging by what Security Explorations is saying, they still have a long way to go before running Java on a computer becomes risk-free.
This is not the first time when the Polish firm is unhappy with the way Oracle is handling a vulnerability they’ve submitted. Back in October 2012, they demonstrated that one of the security holes they reported could be fixed in just 30 minutes.