The bug can be exploited for a complete sandbox bypass

Apr 22, 2013 07:45 GMT  ·  By

Less than a week has passed since Oracle released its April 2013 Critical Patch Update for Java and researchers have already identified a vulnerability affecting the latest version of the software.

Polish firm Security Explorations has discovered a Reflection API issue – dubbed “Issue 61” – that plagues all variants of Java 7, including Update 21.

According to Adam Gowdiak, the CEO and founder of the company, the newly found bug impacts not only the JRE plugin, but the recently announced Server JRE as well.

“[The vulnerability] can be used to achieve a complete Java security sandbox bypass on a target system. Successful exploitation in a web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed),” the expert told Softpedia.

It’s also worth noting that this is a completely new security hole that doesn’t rely on any previously unpatched flaws.

A vulnerability report and a proof of concept have been sent to Oracle. Gowdiak says the company hasn’t confirmed the issue, but he believes it shouldn’t take more than a day, considering that the reproduction of the flaw consists of simply running a Java code in a web browser.

“In Apr 2012, we reported our first vulnerability report to Oracle corporation signaling multiple security problems in Java SE 7 and the Reflection API in particular. It's been a year since then and to our true surprise, we were still able to discover one of the simplest and most powerful instances of Java Reflection API based vulnerabilities,” Gowdiak noted.

“It looks Oracle was primarily focused on hunting down potentially dangerous Reflection API calls in the ‘allowed’ classes space. If so, no surprise that Issue 61 was overlooked.”