Yet another Java flaw allows "complete" bypass of security sandbox

[nsane.forums]

Flaw in last three Java versions, 8 years worth, puts a billion users at risk.

Java gets exposed, yet again.

Researchers have discovered a Java flaw that would let hackers bypass critical security measures in all recent versions of the software. The flaw was announced today by Security Explorations, the same team that recently found a security hole in Java SE 7 letting attackers take complete control of PCs. But this latest exploit affects Java SE 5, 6, and 7—the last eight years worth of Java software.

“The impact of this issue is critical—we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6, and 7,” Adam Gowdiak of Security Explorations wrote, claiming the hole puts "one billion users" at risk.

Gowdiak wrote that Security Explorations successfully pulled off the exploit on a fully patched Windows 7 32-bit computer in Firefox, Chrome, Internet Explorer, Opera, and Safari. Although testing was limited to Windows 7 32-bit, Gowdiak told Computerworld that the flaw would be exploitable on any machine with Java 5, 6, or 7 enabled (whether it’s Windows 7 64-bit, Mac OS X, Linux, or Solaris).

The bug lets attackers violate the “type safety” security system in the Java Virtual Machine. “A malicious Java applet or application exploiting this new issue could run unrestricted in the context of a target Java process such as a Web browser application,” Gowdiak told Computerworld. “An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user.”

Gowdiak and his team have found a total of 50 Java flaws. While this latest one apparently isn’t being exploited in the wild yet, another that was being exploited was patched by Oracle last month, reportedly four months after Oracle learned of the vulnerability.

Gowdiak reported today that he provided Oracle with a technical description of the latest flaw, as well as “source and binary codes of our Proof of Concept code demonstrating a complete Java security sandbox bypass in the environment of Java SE 5, 6, and 7.”

We asked Oracle for comment this afternoon and have not heard back yet.

View: Original Article

[shanijee]

microsoft is putting away java from new OS Window 8

[edwardecl]

Java was not included with Windows 7 either... it's an optional install from the java website. And again it's your choice what java applications you run inside your web browser, only allow the trusted ones and you'll be safe unless someone has hacked the trusted site in which case you probably have more problems.

[DKT27]

Critical Java exploit found, puts 1 billion computers at risk

A security researcher has discovered another zero-day security exploit in Java, one that affects pretty much every Java version across every browser - putting around one billion computers at risk.

Oh look, another critical Java security vulnerability has been discovered, something that seems to be a trend for Oracle's widely used software. The exploit, as detailed by Seclists' Full Disclosure mailing list, bypasses the Java security sandbox in all versions of Java from SE 5 to the latest SE 7 Update 7 in the latest versions of all popular browsers.

Basically, if you have a computer - Mac or PC - and it has Java installed, it could be vulnerable to this new exploit. Adam Gowdiak, who discovered the Java vulnerability, said that he found the bug last week, created a proof-of-concept exploit and then reported the issue to Oracle on Tuesday, who have confirmed the issue. He is "not aware of any active attacks that would exploit this vulnerability" but claims the potential impact is bigger than previous exploits.

October 16 is the next scheduled Java update, and its likely Oracle will wait until this date to patch the vulnerability. If you are concerned about your security, it's recommended either to uninstall Java from your system (if you don't use it) or temporarily disable it until a patch is released.

View: Original Article

[edwardecl]

or install noscript in Firefox which is exactly what I do... does not matter if an exploit has been discovered computer programs with access to memory CPU and a network will always be a security risk no matter how safe you think it is everything is exploitable.

How many more exploits out there do you think are not disclosed by nice people? and like this article says the exploit has been there for quite a long time... Java 5 came out according to Wikipedia September 30, 2004, so java has been exploitable without patches for 8 years!!! and you think your other software is 100% safe... yeah right.