Security vulnerability has been discovered in an update, Java 7

Posted: September 1, 2012 in Security Notices
Tags: , , ,

Oracle LogoSecurity Explorations: security vulnerability has been discovered in an update, Java 7

Specialists in IT security of the Polish company Security Explorations reported finding security vulnerabilities in Java 7, an update, released less than a day ago.

The company says that can be exploited to bypass the “sandbox” Java and execute potentially malicious code on the target system. In the Security Explorations say that already passed the data on vulnerabilities in Oracle with kotseptualnym exploit performing hacking Java for testing purposes.

Director General of Security Explorations Govdiak Adam said that while his company does not publish the technical details of the vulnerability, to give Oracle some time to fix the problem.

Recall that the traditional Oracle releases fixes for their products once a quarter, but this week for Java 7 was released extraordinary update, which the company closed three critical vulnerabilities for which information was available to the general public, and hackers have begun to actively exploit vulnerabilities for attacks.

Java 7 Update 7 also had to get rid of the problem of security-in-depth, which, although not directly exploited, still be dangerous. The Polish company said that work carried out by Oracle in terms of troubleshooting in Java Virtual Machine, have not been effective and the product still contains vulnerabilities associated with the work of an isolated execution environment (the so-called sandbox).

Govdiak said that in April, the company reports its nearly three dozen vulnerabilities in Java 7 Corporation Oracle, but still not all of them are removed and the two vulnerabilities are in a phase of active operation. The company said that Oracle has removed the methods getField and getMethod from class sun.awt.SunToolkit, that will get rid of the so-called POC-exploits, but on the other hand, there is the opportunity to bypass the sandbox in the JVM, which is no less dangerous threat.

In the Polish companies say they do not know when the last vulnerability is fixed. Maybe not before 16 October, when Oracle has released a quarterly patch set for their products.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s