14 DAY TRIAL // A faulty security patch has left Java users vulnerable to attacks in the past two years, researchers from Polish security firm Security Explorations are claiming.
The issue in question is CVE-2013-5838, which was discovered back in 2013 by the same company and reported to Oracle, who proceeded to patch the bug, classified at that time as a sandbox exploit for Java Web Start applications and Java applets.
The issue was rated as critical, with a severity score of 9.3/10, and Oracle pushed out Java SE 7 Update 40 to address the problem in October 2013.
Exploit still viable two years later
Two years later, going back over their researcher, the same security researchers have now discovered that Oracle had not only misclassified its impact but also botched the fix.
Adam Gowdiak, Security Explorations researcher, says that the issue can also be exploited in server environments and even in Google App Engine installations.
In a Full Disclosure exposé, the researcher says that changing four characters in the company's original proof-of-concept code allowed them to exploit the flaw, despite Oracle's patch.
The issue works even against newer Java versions such as Java SE 7 Update 97, Java SE 8 Update 74, and Java SE 9 Early Access Build 108. The researcher has provided new proof-of-concept code, along with an updated technical paper on how this flaw can be exploited.
Oracle is not aware of their botched patch
Gowdiak says that they did not contact Oracle about this new issue since the company had already been informed in 2013, and they had their chance to get it right from the get-go.
The issue, which the researchers explain as "a very classic attack against JVM (class spoofing attack)," only provides an escape from Java's sandbox mode, a virtual machine-like environment.
To exploit, attackers would still need to evade Java's Click2Play functionality, an automated security defense system that prevents Java applets from automatically executing inside a browser or a desktop environment. Additionally, attackers would need to sign their malicious applets in order for Java's security defenses not to prevent them from running altogether.
Attackers would need to chain different exploits together to take advantage of this improperly patched issue, but this is not such a far-fetched scenario.