ID: IRCNE2013021772
Date: 2013-02-26
According to "computerworld", a Polish security firm known for rooting out Java vulnerabilities has reported two new bugs in the browser plug-in to Oracle, Security Explorations said today.
On its bug-reporting status page, Security Explorations noted that it had submitted details of the flaws, including proof-of-concept exploit code, to Oracle.
"We had yet another look into Oracle's Java SE 7 software that was released by the company on Feb. 19," said Adam Gowdiak, in an email reply to questions today. "As a result, we have discovered two new security issues, which when combined together, can be successfully used to gain a complete Java security sandbox bypass in the environment of Java SE 7 Update 15 (1.7.0_15-b03)."
Oracle shipped Java 7 Update 15 (7u15) on Feb. 19, bundling patches first released in a Feb. 1 emergency update with fixes for five more vulnerabilities.
The new vulnerabilities affect only Java 7, said Gowdiak in another email. Java 6, which Oracle has officially retired from support, does not contain the bugs.
Java has faced an increasing number of "zero-day" vulnerabilities, bugs that are exploited by criminals before those flaws are patched, or even known by the vendor. Oracle has been forced to rush out patches twice this year to close those holes.
The newest vulnerabilities can be combined to circumvent Java's anti-exploit "sandbox" technology, Gowdiak confirmed, and used to attack machines whose browsers have the Java plug-in installed.
Not surprisingly, other security experts today again urged users to disable or even uninstall Java.
Related Link:
Oracle to release yet more patches for Java
Apple restores Java on OS X
Oracle releases Java patch update
Malware masquerades as patch for Java
Researchers find critical vulnerabilities in Java 7 Update 11
Homeland Security still advises disabling Java, even after update
Oracle pushes out Java patches as zero-day vulnerabilities exposed
Java security fix coming shortly
New malware exploiting Java 7 in Windows and Unix systems
US-CERT: Disable Java in browsers because of exploit
- 2