CTA: New Java Vulnerability
Despite a recent critical patch to Java SE, Polish security firm Security Explorations released details of yet another Java vulnerability. Adam Gowdiak, a researcher from the firm provides a full disclosure of the exploit here.
Submission of Issue 61 to Oracle
Same routine here, users should disable java in their browsers using the following instructions (courtesy of Sophos):
Also, due to recent security flaws with Java, users might consider removing Java temporarily if possible, at least until security improves.
Gowdiak explains that this issue, dubbed as Issue 61, allows a complete sandbox bypass and affects all versions of Java SE 7, including the new Server JRE.
Security Explorations was also the firm that discovered Issue 54 and 55, as mentioned in a previous advisory back in March. In the disclosure from yesterday, Gowdiak explains his surprise that Reflection API vulnerabilities are still being discovered one year after the firm’s initial report to Oracle.
While untrusted Java code requires user interaction to execute, some software vendors have made moves to suggest that isn’t enough to protect the end user. Apple’s growing concern over the security of Java has prompted the company to release an update for their Safari browser, now allowing the user to specify which websites allow the Java plugin.
Clicking “Manage Website Settings” allows users to specify which sites allow Java.
Hopefully this will be taken care of quickly with a patch from Oracle, who has yet to release any official statement on this vulnerability. In the meantime, make sure to disable Java and stay tuned for any updates.
Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. He has over 5 years of experience working with US defense intelligence agencies where he analyzed malware and developed defense strategies through reverse engineering techniques. His articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis. Follow him on Twitter @joshcannell