MALWARELIST.net – Your Information Security Source

Security Explorations: security vulnerability has been discovered in an update, Java 7

Specialists in IT security of the Polish company Security Explorations reported finding security vulnerabilities in Java 7, an update, released less than a day ago.

The company says that can be exploited to bypass the “sandbox” Java and execute potentially malicious code on the target system. In the Security Explorations say that already passed the data on vulnerabilities in Oracle with kotseptualnym exploit performing hacking Java for testing purposes.

Director General of Security Explorations Govdiak Adam said that while his company does not publish the technical details of the vulnerability, to give Oracle some time to fix the problem.

Recall that the traditional Oracle releases fixes for their products once a quarter, but this week for Java 7 was released extraordinary update, which the company closed three critical vulnerabilities for which information was available to the general public, and hackers have begun to actively exploit vulnerabilities for attacks.

Java 7 Update 7 also had to get rid of the problem of security-in-depth, which, although not directly exploited, still be dangerous. The Polish company said that work carried out by Oracle in terms of troubleshooting in Java Virtual Machine, have not been effective and the product still contains vulnerabilities associated with the work of an isolated execution environment (the so-called sandbox).

Govdiak said that in April, the company reports its nearly three dozen vulnerabilities in Java 7 Corporation Oracle, but still not all of them are removed and the two vulnerabilities are in a phase of active operation. The company said that Oracle has removed the methods getField and getMethod from class sun.awt.SunToolkit, that will get rid of the so-called POC-exploits, but on the other hand, there is the opportunity to bypass the sandbox in the JVM, which is no less dangerous threat.

In the Polish companies say they do not know when the last vulnerability is fixed. Maybe not before 16 October, when Oracle has released a quarterly patch set for their products.