Security Explorations pros recently announced that there were five additional vulnerabilities in Java SE 7. A skillful attacker could use them to bypass the Java sandbox (defined as a three-tiered defense system which protects the computer programming language) and install damaging malware.
It appears from news reports that four of these relate to the Reflection API. Many details have yet to be released.
"Five new security issues were discovered in Java SE 7 (numbered 56 to 60), which when combined together can be successfully used to gain a complete Java security sandbox bypass in the environment of Java SE 7 update 15," Adam Gowdiak, CEO of Security Explorations, announced Monday on BugTraq. "The attack breaks a couple of security checks introduced to Java SE by Oracle over the recent months (issues 57 and 58). It also exploits code fragments that were missing proper security checks corresponding [in] mirror code (issue 59 and 60). Finally, it demonstrates a difference between the JVM specification and its implementation (issue 56)."
The news comes shortly after Poland’s Security Explorations told Oracle about two vulnerabilities which could bypass the Java sandbox, as well. One of these was “confirmed” by Oracle, but the other (Issue 54) was “dismissed,” according to Threatpost. Gowdiak insists the "allowed behavior" is actually not allowed in Java SE.
“We confirmed that company's initial judgment of Issue 54 as the ‘allowed behavior’ contradicts both Java SE documentation as well as existing security checks in code,” Gowdiak was quoted by Threatpost. “Oracle needs to either start treating Issue 54 as a vulnerability or change the docs and relax some of the existing security checks.”
"We've also found evidence in Oracle's own Java SE docs that contradicts company's claims,” Gowdiak added in the Threatpost comments. “If Oracle sticks to their assessment we'll have no choice than to publish details of Issue 54.”
Oracle has been on the hot seat recently regarding threats to Java. The U.S. Department of Homeland Security encouraged users and system administrators “to disable Java plug-ins in the browser because of a major vulnerability in the software,” ComputerWorld Canada reported. An emergency update to Java 7 did not address two additional vulnerabilities which attackers could use “to execute arbitrary code on computers,” the report added.
On Monday, Oracle released updates for Java 6 and Java 7. “One of the vulnerabilities, CVE-2013-1493, has been actively used by attackers to infect PCs with malware known as McRAT. The remote access Trojan (RAT) is designed to download further malware onto an infected PC. The other fix included in Oracle's Java patch, for ‘another closely related bug’ (CVE-2013-0809), hasn't been seen in active attacks,” Information Week reported.
The Monday release of the patches was the third time so far in 2013 that Oracle has released patches for Java. There was a release in January in response to a zero-day bug. Also, there was a scheduled release in February that fixed 50 bugs.
There are other continuing concerns. “The recent spate of Java bug reports have led to confusion over what types of Java are vulnerable to being attacked,” Information Week added. “In general, security experts have recommended that computer users disable the Java browser plug-in whenever possible, or else maintain a separate browser with the Java plug-in installed, and use that browser only with known, trusted websites.”
Oracle – which will likely continue to speed up the release of fixes for Java – said it will release a Critical Patch Update for Java SE on April 16, 2013, at the same time as the normally-scheduled Critical Patch Update for all non-Java products, according to TMCnet.