Home arrow Java & J2EE arrow More Java Bugs Lead to More Attacks

More Java Bugs Lead to More Attacks

sNot even a week after Oracle sent out its latest set of Java patches, security firm Security Explorations reported two more vulnerabilities that allow hackers to bypass the language's security sandbox entirely. These flaws reported affect all versions of Java 7, including Java 7 Update 15, the latest one released.

By: Terri Wells
Rating: starstarstarstarstar / 0
February 25, 2013

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement
schweiz pornsesso italianogerman pornoporn watchgratis sextiener sexfilmgratis sexfilm

Security Explorations posted on their website that they sent the vulnerability notice of what they're calling issues 54 and 55, along with proof of concept code, to Oracle. The software giant confirmed that it received the report and successfully decrypted it. Now it says it “will investigate based on the data provided and get back to us soon,” Security Explorations noted.

Security Explorations CEO Adam Gowdiak, in a discussion with Softpedia, noted that the flaws “allow [hackers] to abuse the Reflection API in a particularly interesting way...Without going into further details, everything indicates that the ball is in Oracle's court. Again.”

While Oracle's next scheduled Critical Patch Update for Java is supposed to happen on April 16, the company has had to release patches sooner in recent months due to exploit kits being

found in the wild that take advantage of specific Java security flaws. News stories highlighting these kinds of issues seem to be coming with greater frequency lately; one major hacking incident affected iphonedevsdk.com, a popular iPhone developers' forum. According to Ars Technica, the hackers successfully installed “a collection of malware on the Java-enabled computers of those who visited the site.” Engineers from Facebook, Apple, Twitter and even Microsoft fell victim to this “watering hole” attack. By the way, Ars Technica advised its readers not to visit the iphonedevsdk.com website, as it might still be infected and therefore dangerous.

What's particularly troubling about this incident is that it exploited a then-unreported security flaw in Java – a literal zero-day exploit. Many security researchers (and Java users) have been frustrated with Oracle's slowness in responding to such issues, though it must be admitted that the company has improved on that front. Significant room for improvement remains, however.

So what should your average user do in a situation like this? Waiting for the patch from Oracle carries the risk of falling victim to an attack before the remedy is in place. A number of security industry websites offer one loud and clear answer: if you do not need Java on your computer – and you probably don't – take it right out of your browser. One site even offers a helpful link to an article that explains the risk. The article further links out to directions that explain how to disable Java in Internet Explorer, Firefox, Chrome, Safari, and Opera.

 


 
 
>>> More Java & J2EE Articles          >>> More By Terri Wells
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

JAVA & J2EE ARTICLES

- More Java Bugs Lead to More Attacks
- Oracle's Java One Brings News, Surprises
- Oracle Patches Java Runtime Environment
- Apple Syncs Java Update with Oracle
- Spring 3.1 Java Development Framework Compat...
- Jelastic Java PaaS Availability and Pricing ...
- NetBeans 7.1 Released, Supports JavaFX 2
- SolarWinds Releases Newest Version of Java M...
- Free Monitoring Tool for Java Apps on Heroku
- Heroku Adds JCloud Platform Support, Java 7 ...
- Java SE 8 Speculation in Full Swing
- Java SE 7 Now Available
- New JVM Language and Java Reporting Tool
- Java 7 Release Update and New Eclipse Toolkit
- The Best Java Netbeans IDE Plugins

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: