Oracle says one of the flaws is not a security hole as it demonstrates "allowed behavior"
On Wednesday, we learned that Oracle had assigned tracking numbers to the Java 7 issues reported to the company by Security Explorations, but it hadn’t confirmed the vulnerabilities. Now, Oracle has officially confirmed the full sandbox bypass, but the experts are unhappy with the firm’s assessment of the matter.The full sandbox bypass has been achieved by experts after exploiting a couple of issues, dubbed “issue 54” and “issue 55.” Oracle admits that “issue 55” is a vulnerability, but says that “issue 54” is not a security hole because it demonstrates “allowed behavior.”
“We disagree with Oracle's assessment regarding Issue 54. There is a mirror case corresponding to Issue 54 that leads to access denied condition and a security exception,” Adam Gowdiak, CEO of Security Explorations, explained in an email sent to Full Disclosure.
“That alone seems to be enough to contradict the ‘allowed behavior’ claim by the company (is it possible to claim a non-security vulnerability when access is denied for a public API, but allowed for some private code path?).”
Gowdiak says that if Oracle doesn’t change its views on the matter, they will have no choice but to publish the technical details of “issue 54,” just as they’ve done with Apple last year.
The expert has told Softpedia that they’ve provided Oracle with another sample “illustrating denied access conditions similar to the one exploited by issue 54.”
He says that they haven’t given Oracle a precise deadline to review their initial assessment, but one or two weeks should be enough.
In addition, Oracle hasn’t been notified regarding Security Explorations’ plans to make the details of the flaw public, but Gowdiak highlights the fact that the company should be aware of the possibility, considering that they did this in the past.
We’ve asked him if the publication of “issue 54’s” details could help cybercriminals in exploiting the latest Java 7 vulnerability.
“The security community should be primarily able to make a judgment of both companies claims. If still claimed to be non-related to security, publication of Issue 54 details should not lead to any big problems,” Gowdiak said.