More Java exploits found...

ImAMacGuy
Valued Contributor II

http://www.tomsitpro.com/articles/it_security-hacking-patches-standard_edition,1-927.html

Six days following the release of yet another security patch for Java, an independent security startup identifies two new serious vulnerabilities in Java 7.

Oracle must be wondering where they went wrong with Java. And if they aren’t, they should be. Just days after releasing update 15 to Java 7, Security Explorations, a Polish startup that specializes in security research and led by Adam Gowdiak, sent a vulnerability notice along with proof of concept code to Oracle identifying two new security flaws.

The security flaws, identified by Oracle as “issue 54” and “issue 55,” allow hackers to bypass the Java security sandbox. A compromise of the Java security sandbox can lead to serious issues, allowing attackers to potentially view and change user data, execute programs and wreak serious havoc. On his Web site Gowdiak notes that Java is not easy to break and that typically more than one issue needs to be present in order to compromise the Java security sandbox, which seems to be the case in these latest vulnerabilities.

Gowdiak told Softpedia that “both new issues are specific to Java SE 7 only. They allow to abuse the Reflection API in a particularly interesting way.” Gowdiak hasn’t shared more details about the vulnerabilities, possibly to prevent hackers from exploiting the flaws. He simply noted that “without going into further details, everything indicates that the ball is in Oracle's court. Again.”

3 REPLIES 3

scottb
Honored Contributor

A Java/Flash free computer is a happy computer. We just moved to "Junos Pulse" SSL to replace the old Network Connect. No Java, 'cept what I'm drinking. Could not be happier...

nkalister
Valued Contributor

yeah, the sooner we switch etime to the no java version, the happier I'll be.

gregp
Contributor

http://www.security-explorations.com/en/SE-2012-01-status.html

The company informs that Issue 51 is under investigation / being fixed in main codeline.