Critical Java Security Flaw Discovered Could Affect A Billion People

Security Explorations, a security research and analysis agency has discovered a new Java security vulnerability that could potentially put about 1 billion people at risk to hacks, or virus attacks. The security flaw is found on Java SE 5 build 1.5.0_22-b03, Java SE 6 build 1.6.0_35-b10, and the latest version Java SE 7 build 1.7.0_07-b10, which are used by almost every smartphone and computer on the planet.

“We’ve recently discovered yet another security vulnerability affecting all latest versions of Oracle Java SE software. The impact of this issue is critical – we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7. So far, we could only claim such an impact with reference to Java 7 environment (the Apple QuickTime attack relying on Issues 15 and 22 is the only exception here),” Security Explorations posted in its blog.

Adam Gowdiak, CEO of Security Explorations explains that “the bug allows to violate a fundamental security constraint of a Java Virtual Machine (type safety).”, which is caused by the way it handles defined data types.

Security Explorations verified this security loop hole by testing it on a fully patched Windows 7, 32-bit operating system, running the latest versions of Internet browsers like Firefox 15.0.1, Google Chrome 21.0.1180.89, Internet Explorer 9.0.8112.16421 (update 9.0.10), Opera 12.02 (build 1578) and Safari 5.1.7 (7534.57.2) and they were able to succesfully expoit the security flaw in Java SE software. The vulnerability is not limited to Windows alone and exists on Mac OS, Linux and Solaris as well, since all of these rely on the same Java Runtime software.

The security agency has already alerted Oracle regarding the issue and has provided them with a detailed technical report describing the vulnerability, including particulars of their Proof of Concept, which explains how they managed to achieve Java security sandbox bypass. The agency hopes that considering the gravity of the matter, Oracle will come up with a patch at the earliest.


Via: The Verge

Source: Security Explorations