According to the statements of experts discovered vulnerability allows an attacker to bypass the sandbox Java.
Representatives of the Polish company Security Explorations announced the discovery of a new vulnerability in Java 7, which allows an attacker to bypass the sandbox software and execute arbitrary code on the system.
To confirm the presence of gaps Adam Gowdiak, CEO and founder of Security Explorations, sent a notice to the PoC-code vulnerability in Oracle. According to the researcher, the vulnerability is present in the Reflection API – functions in Java 7. In the Security Explorations confirmed that the PoC-exploit code works for Java SE 7 Update 25 and earlier versions.
Gowdiak said that the discovered vulnerability could allow hackers to carry out a “classic” attack to destroy the virtual machine Java, which has been known for over 10 years.
“This is one of those risks that should be protected first and foremost, with innovations in Java at the core of the virtual machine. Surprisingly, that protection against this type of attack has not been implemented in the Reflection API for developing Java 7” – said the expert.
According to the researchers, the vulnerability allows an attacker to compromise the fundamental safety functions virtual machine Java. “As a result of the attack fraudster may make changes in the operation of the type conversion” – said Gowdiak. In Java, the operation of this type must follow strict rules in order to access the memory was carried out safely.
Gowdiak criticized Oracle for the presence of vulnerabilities in Java 7 and raised the question of the effectiveness of its software, which is responsible for ensuring the safety and security inspection procedures code.
New Reflection API affected by a known 10+ years old attack: http://seclists.org/fulldisclosure/2013/Jul/172
