ABOUT US | SERVICES | SUBSCRIPTIONS | LOGIN | SIGNUP
SUBSCRIBE TO TMCnet
TMCnet - World's Largest Communications and Technology Community
MARKETS » MOBILE Commerce HTML5 WebRTC
HOT TOPICS » VIDEO MANAGED SERVICES SMALL CELLS NETWORK MANAGEMENT

TMCNet: Researchers find another Java security flaw [Computer News Middle East]

[January 20, 2013]

Researchers find another Java security flaw [Computer News Middle East]

(Computer News Middle East Via Acquire Media NewsEdge) Researchers from a Poland-based vulnerability research firm on Friday announced that they had found vulnerabilities in Java 7 Update 11 that can be exploited to bypass the software’s security sandbox and execute arbitrary code on computers.


Oracle released Java 7 Update 11 last Sunday as an emergency security update in order to block a zero-day exploit used by cybercriminals to infect computers with malware.

Security Explorations successfully confirmed that a complete Java security sandbox bypass can be still be achieved under Java 7 Update 11 (JRE version 1.7.0_11-b21) by exploiting two new vulnerabilities discovered by the company’s researchers, Adam Gowdiak, the company’s founder, said Friday in a message sent to the Full Disclosure mailing list. The vulnerabilities were reported to Oracle on Friday, together with working proof-of-concept exploit code, he said.

According to Security Explorations’ disclosure policy, technical details about the vulnerabilities will not be publicly disclosed until the vendor issues a patch.

Researchers from security firm Immunity, who analyzed the exploit being used by cybercriminals since last week, concluded that it also combined two vulnerabilities to achieve a Java sandbox escape. However, they later said in a blog post that Java 7 Update 11 only addressed one of them and warned that if attackers find another vulnerability to replace the patched one, a new exploit can be created.

The vulnerabilities discovered by Security Explorations are separate from the one left unpatched by Oracle in Java 7 Update 11, Gowdiak said on Friday via email.

Some security researchers, including those from the U.S. Computer Emergency Readiness Team (US-CERT), continued to advise users to disable the Java browser plug-in despite the release of Java 7 Update 11, citing concerns that similar attacks might occur in the future.

“There is definitely something worrying regarding the quality of Java SE 7 code,” Gowdiak said. This could suggest the lack of a proper Secure Development Lifecycle program for Java or some other problems that are internal to Oracle, he said.

That said, the fact that Java 7 Update 11 asks for users' confirmation before allowing Java applets to be executed inside browsers is definitely a step in the right direction and could block many attacks, Gowdiak said.

(c) 2013 Corporate Publishing International. All rights reserved. Provided by Syndigate.info an Albawaba.com company

[ Back To Technology News's Homepage ]

OTHER NEWS PROVIDERS

BACK TO TECHNOLOGY NEWS HOME






Technology Marketing Corporation

800 Connecticut Ave, 1st Floor East, Norwalk, CT 06854 USA
Ph: 800-243-6002, 203-852-6800
Fx: 203-866-3326

General comments: tmc@tmcnet.com.
Comments about this site: webmaster@tmcnet.com.

IMPORTANT

SUBSCRIPTIONS


Subscribe to our FREE eNewsletters
SUBMIT

STAY CURRENT YOUR WAY

© 2013 Technology Marketing Corporation. All rights reserved.