Java Flaws Mount Up
September 26, 2012

Flaw Found In The Last 8 Years Of Java

Michael Harper for — Your Universe Online

Have you disabled or removed Java yet?

In what´s becoming a bit of a broken record of a story, researchers have found yet another flaw in Java which allows hackers to completely bypass security measures built in to the software. What´s worse, this new flaw affects the last 8 years´ worth of Oracle´s Java software, versions 5 through 7, placing more than one billion users in danger of an attack.

When these exploits were first pointed out, several security experts began to suggest disabling the software until a patch was shipped. Now, several of these experts are simply suggesting removing the software altogether.

In an interview yesterday with Computer World´s Darlene Storm, Security Explorations´ CEO Adam Gowdiak confirmed this new critical zero-day exploit. “This is a completely new issue,” said Gowdiak.

“It has however bigger impact than any previous issue we found as part of our Java security research project as it affects Java 5, 6 and 7. Most of our previous findings were primarily affecting Java version 7.”

Gowdiak and his team at Security Explorations also said they were able to take advantage of this exploit on a fully patched, 32-bit Windows 7 machine in Chrome, Firefox, Internet Explorer, Opera and Safari. It´s not just these 32-bit Windows 7 machines which are vulnerable, says Gowdiak, as any computer running Java 5, 6 or 7 is vulnerable to this exploit; Yes, even Macs.

Gowdiak´s Security Explorations has developed quite the knack for finding these kinds of Java exploits. So far, Gowdiak and team have discovered a whopping 50 Java flaws. Though they haven´t yet seen this exploit being used out in the wild, they did point out that it took Oracle 4 months to roll out a fix for their most recent zero-day exploit vulnerability.

Gowdiak and team alerted Java in April to the vulnerabilities in the software which left computers open to be controlled and manipulated by malware. In August, security researchers at FireEye found that these exploits were being used to install the PoionIvy Backdoor trojan before being integrated into the BlackHole exploit kit, making it widely available on the Internet.

Gowdiak has said he´s alerted Oracle to this new flaw, as well as the “source and binary codes of our Proof of Concept code demonstrating a complete Java security sandbox bypass in the environment of Java SE 5, 6, and 7.”

“We haven't heard from them yet,” said Gowdiak in his interview with Computer World.

This new vulnerability gives attackers the chance to completely sidestep the “type safety” security system inside a Java Virtual Machine, giving them incredible control of a machine.

“A malicious Java applet or application exploiting this new issue could run unrestricted in the context of a target Java process such as a Web browser application,” said Gowdiak.

“An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user.”

Each of these stories end with a plea to disable Java in your browser or remove it completely from your computer if you can. Unless you do Android or web development, it´s likely you´ll never miss it.

Those who need Java know why they need it. If you´re unsure, disable or delete it to be safe.