Not even a week after Oracle sent out its latest set of Java patches, security firm Security Explorations reported two more vulnerabilities that allow hackers to bypass the language's security sandbox entirely. These flaws reported affect all versions of Java 7, including Java 7 Update 15, the latest one released.
Security Explorations posted on their website that they sent the vulnerability notice of what they're calling issues 54 and 55, along with proof of concept code, to Oracle. The software giant confirmed that it received the report and successfully decrypted it. Now it says it “will investigate based on the data provided and get back to us soon,” Security Explorations noted.
Security Explorations CEO Adam Gowdiak, in a discussion with Softpedia, noted that the flaws “allow [hackers] to abuse the Reflection API in a particularly interesting way...Without going into further details, everything indicates that the ball is in Oracle's court. Again.”
While Oracle's next scheduled Critical Patch Update for Java is supposed to happen on April 16, the company has had to release patches sooner in recent months due to exploit kits being found in the wild that take advantage of specific Java security flaws. News stories highlighting these kinds of issues seem to be coming with greater frequency lately; one major hacking incident affected iphonedevsdk.com, a popular iPhone developers' forum. According to Ars Technica, the hackers successfully installed “a collection of malware on the Java-enabled computers of those who visited the site.” Engineers from Facebook, Apple, Twitter and even Microsoft fell victim to this “watering hole” attack. By the way, Ars Technica advised its readers not to visit the iphonedevsdk.com website, as it might still be infected and therefore dangerous.
What's particularly troubling about this incident is that it exploited a then-unreported security flaw in Java – a literal zero-day exploit. Many security researchers (and Java users) have been frustrated with Oracle's slowness in responding to such issues, though it must be admitted that the company has improved on that front. Significant room for improvement remains, however.
So what should your average user do in a situation like this? Waiting for the patch from Oracle carries the risk of falling victim to an attack before the remedy is in place. A number of security industry websites offer one loud and clear answer: if you do not need Java on your computer – and you probably don't – take it right out of your browser. One site even offers a helpful link to an article that explains the risk. The article further links out to directions that explain how to disable Java in Internet Explorer, Firefox, Chrome, Safari, and Opera.