Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Java 7 is more exploitable than Java 6: Security Explorations CEO Adam Gowdiak said
09-02-2012, 03:15 PM, (This post was last modified: 09-02-2012, 03:23 PM by sujay.)
Java 7 is more exploitable than Java 6: Security Explorations CEO Adam Gowdiak said
After few hours of the release of Oracle Patchfor Java Exploit CVE-2012-4681, security researchers from the Poland based company Security Explorations, have claimed to have found a vulnerability that can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system. Adam Gowdiak , CEO of Security explorations explained the incident told InfoWorld via Email.
Quote:Java 7 Update 7 also patched a "security-in-depth issue" which, according to Oracle, was not directly exploitable, but could have been used to aggravate the impact of other vulnerabilities. The patching of that "security-in-depth issue," which Gowdiak calls an "exploitation vector," rendered all of the proof-of-concept (PoC) Java Virtual Machine (JVM) security bypass exploits previously submitted by the Polish security firm to Oracle, ineffective.
The discovery of the latest exploit came with 2-3 hours of research "while trying to fix the proof-of-concept codes that stopped working after applying the recent Java patch." Gowdiak also told
Quote:However, this only happened because the "exploitation vector" was removed, not because all vulnerabilities targeted by the exploits were patched.....The new vulnerability discovered by Security Explorations in Java 7 Update 7 can be combined with some of the vulnerabilities left unpatched by Oracle to achieve a full JVM sandbox bypass again.
Gowdiak didn't reveal any any technical details because that may make it easier for criminals to exploit the flaw in e-mail- or Web-based attacks. He also told that Java 6 has better security than Java 7.
Quote:"Java 7 was surprisingly much easier for us to break,....For Java 6, we didn't manage to achieve a full sandbox compromise, except for the issue discovered in Apple Quicktime for Java software."
Security Explorations came to light when it came to known that the last Java Exploit CVE-2012-4681 was in fact reported by them in April and Oracle is yet to cover up all the vulnerabilities reported by them.
Oracle broke their quarterly scheme of patching Java with the last update but it is unsure if they will patch this issue too.

With all these scenes going around, it seriously seems that we should stop using Java immediately unless we need to.
Like Post Reply

Users browsing this thread: 1 Guest(s)

Contact Us | Insights in Technology | Return to Top | | Lite (Archive) Mode | RSS Syndication

Bookmark and Share