Java: New flaw identified, old one attacked

[nsane.forums]

Flaw in latest Java version allows bypass of Java security sandbox.

A flaw identified in the latest version of Java allows for a complete bypass of the Java security sandbox, a security firm reported today. Meanwhile, a security hole recently fixed by Oracle is being targeted by attackers, underscoring the importance of installing patches quickly.

The security firm Security Explorations said today that it sent a "Vulnerability Notice along with a Proof of Concept code" to Oracle, and that Oracle has confirmed receiving the notice. "The company informs that it will investigate based on the data provided and get back to us soon," Security Explorations said.

Security Explorations CEO Adam Gowdiak told Softpedia that it tested the flaw in the original release of Java 7, as well as in Java 7 Updates 11 and 15. Java 7 Update 15 is the latest version released last week. "When combined, the flaws can be leveraged to achieve a complete bypass of the Java security sandbox," Softpedia wrote.

Few details of the flaw were shared, presumably to prevent it from being exploited by hackers. Gowdiak told Softpedia that the flaw allows abuse of the Java Reflection API "in a particularly interesting way… Without going into further details, everything indicates that the ball is in Oracle's court. Again.”

Java updates have been coming frequently lately to patch all the various security holes that have been identified by security firms and/or targeted in attacks. An attack targeting Java 7 Update 11 is now "in the wild," according to an update today from security firm Rapid7. The hole allows bypass of the security sandbox and was fixed by Oracle in Update 13 on Feb. 1. However, exploit kits used by attackers now reportedly target this flaw. The good news is that user interaction is required to run the exploit—no infections will occur unless the user clicks "Run" when asked "Do you want to run the application?"

We've advised before that users who don't need Java should consider uninstalling it, or at least the Java plug-ins used to run Java content in Web browsers. Even savvy computer users aren't necessarily safe. An iPhone developer forum was found last week to be hosting malware targeting Java-enabled computers—resulting in attacks targeting employees of Facebook, Twitter, and Apple.

View: Original Article

[Ambrocious]

Has Java opened up an alternate dimension or what? I mean seriously.....new flaws like.....EVERY SINGLE DAY NOW. I'm wondering...is this being done so the government has MORE control over the Internet or is this being done as a way of the government indirectly closing their backdoors to the control grid because they realize that the truth about global crime and corruption is coming out and so they want to pretend to have never been there; sort of like writing yourself out of the code.

[Shadowx]

Everyday new attack <_< @_@

[LiLmEgZ]

Java is terrible stuff... don't use it unless you really really really really have to!

[dcs18]

This is nothing new - Java has always been (and will continue to be) exploited.

Earlier those vulnerabilities & exploits went unreported - nowadays members are becoming aware purely because News Hound has now decided to sensationalize such events, which were going unreported.

Expect a new release by month-end.

[SPECTRUM]

Java is terrible stuff... don't use it unless you really really really really have to!

trouble is not Java at all, just the browser plugin only, and you can disable that with a simple click if needed.

[dcs18]

Java is terrible stuff... don't use it unless you really really really really have to!

trouble is not Java at all, just the browser plugin only, and you can disable that with a simple click if needed.

Some people probably require a tutorial (even for that - shall include it, FWIW.) :P

[RMD]

I might be completely wrong about this, but I only view the vulnerability of Java as the vulnerability of Windows; popularity. If Mac was as popular as Windows in all the same areas, same thing would sooner or later happen to them. "Windows Store is gonna be so secure from piracy! You've to connect to the Internet to verify, blablabla, huehuehue..." Some months later, Windows Store apps are already hacked.

Hackers don't give shit for what companies say or do, they will find a way and they will do it quick. Java is no exception and SHOULDN'T BE an exception for this threat. I say get over it to anyone who actually takes these kinds of news seriously, cause then you're probably gonna have a heart attack if you knew, no matter what OS you use, be it mobile or desktop, all the serious holes a hacker or virus creator could go through at any moment in time.

[Zex]

If JDownloader didn't require Java, I would have gotten rid of it a long time ago.

[DKT27]

Earlier those vulnerabilities & exploits went unreported - nowadays members are becoming aware purely because News Hound has now decided to sensationalize such events, which were going unreported.

If there was no sensationalization, no one would care, and wouldn't be knowing anything when they were attacked. With this news, it should be expected that people respect their security practices more.

trouble is not Java at all, just the browser plugin only, and you can disable that with a simple click if needed.

Not true. The Java we speak is not limited to plugins only. Run a app compromised with a hole, which is made in Java, it will do the same job (I think).

[dcs18]

Earlier those vulnerabilities & exploits went unreported - nowadays members are becoming aware purely because News Hound has now decided to sensationalize such events, which were going unreported.

If there was no sensationalization, no one would care, and wouldn't be knowing anything when they were attacked. With this news, it should be expected that people respect their security practices more.

Sensationalization always harbors a questionable motive - invariably results in a skewed perspective (leaving the Reader disillusioned.)

BTW, it can grow dangerous, too - we don't want that happening.

[ASIO]

not again !!!

[SPECTRUM]

Not true. The Java we speak is not limited to plugins only. Run a app compromised with a hole, which is made in Java, it will do the same job (I think).

ofc, like in any programming languaje, for example I can make an app in C++ to delete whole content of your secondary hdd without ask nothing, and it will not be detected by antivirus or related things.

it this a vulnerability in C++ then ?

no, just feature of any programming languaje, you can program everything, even malware undetectable.