Two More Java Flaws Emerge

Thomas Brewster,

Java security problems just won’t go away for Oracle

Yet more Java vulnerabilities have been uncovered, as security professionals fret about the quality of Oracle’s patch issued last weekend.

Security Essentials, the Polish firm that has been particularly adept at finding holes in Java, said it told Oracle about the two fresh vulnerabilities it had uncovered on Friday. The company did not go into detail about what the fresh flaws were and how they could be exploited.

“We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21),” a post on the Seclists.org Full Disclosure site.

Java security

Oracle has been plagued with Java problems this month, with one zero-day flaw exploited via various malicious kits, which sought to serve up malware via hacked websites. It eventually released a fresh version of Java and believed it had covered that flaw.

But security professionals agreed the patch was incomplete and that Java should be disabled by all those who don’t need it. Others have pointed to inherent security problems in Java, which Oracle may have trouble rectifying.

“The Java applet security model has not kept up with up with browser-based threats. In an era where sandboxing at the process level has become the norm (Adobe Reader, Flash on Chrome, Chrome itself, Internet Explorer low-privacy mode), Java continues to enforce all security at the interpreter level,” said CSO at security firm Rapid7, and chief architect of Metasploit, HD Moore.

“If Oracle wants Java to be successful within the browser they will need to make serious investments into the security model and their ability to respond quickly to new threats.

“Java would benefit from a process-level sandbox and a drastic change in the APIs available to untrusted applets.”

Others have slightly stronger opinions on what Oracle should do. “Oracle should just take a mulligan and redesign Java from the ground up before everyone completely loses faith in it and other Oracle products,” said Andrew Storms, director of security operations for nCircle.

What do you know about online security? Try our quiz and find out.