Vulnerability Affecting Java 7 Update 15 and Earlier Versions Identified

Security Explorations has discovered another sandbox bypass flaw

  Security Explorations identifies new Java 7 Update 15 zero-day
Researchers from Polish firm Security Explorations have identified another serious vulnerability in Java 7. The experts say Java SE 7 Update 15 and all earlier versions are affected.

Researchers from Polish firm Security Explorations have identified another serious vulnerability in Java 7. The experts say Java SE 7 Update 15 and all earlier versions are affected.

Adam Gowdiak, the CEO of Security Explorations, has told Softpedia that they’ve uncovered two security issues, which they’ve dubbed “issue 54” and “issue 55.”

When combined, the flaws can be leveraged to achieve a complete bypass of the Java security sandbox.

Oracle has been provided with the details of the newly uncovered bugs, but so far, it has only confirmed receiving the information. Most likely, the company will confirm the existence of the flaws in the upcoming days.

“Both new issues are specific to Java SE 7 only. They allow to abuse the Reflection API in a particularly interesting way,” Gowdiak noted. “Without going into further details, everything indicates that the ball is in Oracle's court. Again.”

The experts have tested their findings against the initial release of Java SE 7, Java SE 7 Update 11, and Java SE 7 Update 15, which is the version released a few days ago.

Oracle released its February Critical Patch Update (CPU) ahead of schedule. The CPU released on February 1 addressed a total of 50 Java vulnerabilities.

However, the company released an updated CPU on February 19 to fix an additional 5 security issues.

The next CPU is scheduled for April 16, but if experts discover that issue 54 and issue 55 are exploited in the wild, Oracle could release another out-of-band patch.

In the meantime, experts keep advising users to disable Java if they don’t need it for their everyday tasks. The new advisories come in light of the recent breaches reported by Facebook, Apple and Microsoft.

In all of these incidents, it’s believed that cybercriminals have leveraged a Java vulnerability to distribute malware onto the organizations' computers.

Comments