After a week of Oracle's Java 7 update 11 to patch or mitigate two zero-day vulnerabilities in Java that were being actively exploited by attackers, expert Java bug hunter Adam Gowdiak of Security Explorations in Poland discovered two new insects in Java standard edition.
"We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21)," wrote expert Adam Gowdiak in a post to the Full Disclosure mailing list. As a result, any attacker who used the bugs would be able to craft malware that tapped the JRE, thus fully compromising a vulnerable system.
Moreover, the two newly discovered bugs have nothing to do with Oracle's partial patch of the "MBeanInstantiator" flaw. This was announced by Oracle via changing the default Java security setting from medium to high, which also requires that an unsigned Java Web apps be authorized by a user before being allowed to run.The "MBeanInstantiator bug (or rather a lack of a fix for it) turned out to be quite motivational for us," said Gowdiak. "But, instead of relying on this particular bug, we just decided to dig our own issues. So, two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today (along with a working Proof of Concept code)."
No comments:
Post a Comment