Oracle issue emergency patch for Java, but more flaws are found

News by Dan Raywood

A fresh bug has been discovered in Java, just days after Oracle patched the bug which dominated last week's headlines.

A fresh bug has been discovered in Java, just days after Oracle patched the bug which dominated last week's headlines.

According to Security Explorations researcher Adam Gowdiak, one of the fixes for the Java zero-day flaws also addressed the exploitation vector with the use of the sun.awt.SunToolkit class.

“Removing getField and getMethod methods from the implementation of the aforementioned class caused all of our full sandbox bypass Proof of Concept codes not to work any more,” he said. He also said that not all security issues that were reported in April 2012 got addressed by the recent Java update.

Gowdiak said that he had sent a security vulnerability report, along with a Proof of Concept code, to Oracle which successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software.

“The reason for it is a new security issue discovered, that made exploitation of some of our not yet addressed bugs possible to exploit again,” he said. Oracle has confirmed receipt of the research.

Oracle issued an out-of-cycle patch for the vulnerabilities last Thursday. The advisory said: “This security alert addresses security issues CVE-2012-4681...and two other vulnerabilities affecting Java running in web browsers on desktops.

“These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle server-based software."

The flaws had been added to the BlackHole exploit kit, increasing its ‘success' rate of infection by 15 per cent. Metasploit creator H.D. Moore told Forbes that Oracle's patch did block Metasploit's ability to carry out the Java hack.

Andrew Storms, director of security operations for nCircle, said: “Oracle just released Java 7 update, and the release notes don't contain even the most basic information; no release date and the link to the CVE fixed in this release just goes to a blank page. The world of Oracle users are holding their breath waiting for some kind of definitive official statement.

“This is a complete security communication fail on Oracle's part. How do they expect their customers to take advantage of this patch without any additional details?”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews