ID: IRCNE2012091599
Date: 2012-09-02
According to “CNet”, only hours after Oracle released its latest Java 7 update to address active exploits, security researchers found yet another vulnerability that can be exploited to run arbitrary code on systems that have the runtime installed.
The Polish security firm Security Explorations is claiming to have discovered two new vulnerabilities in Java 7, which so far are proof-of-concept exploits that can be used to break the Java 7 sandbox and execute code.
Security Explorations is keeping the details about these latest vulnerabilities secret until Oracle addresses the problem, and has only stated that when exploited they allow rogue Java applets to break the Java sandbox and execute arbitrary code on the system.
Being only proof-of-concept attacks means that for now they should not pose much of a threat to Java users, and Oracle should address them in future updates. Oracle has known about these and other exploits since April of this year, and has not taken steps to close them.
These latest developments serve as a warning against using Java when not needed and also prematurely updating Java. Java 7 is still very early in its development, being only the seventh release so far, whereas prior runtimes have received over 30 updates to patch and manage vulnerabilities. As a result, if you need Java then you might consider installing a prior runtime version that has been well-tested, but if you do not need Java then you might consider avoiding installing it or removing it from your system if it is already installed.
- 2