Oracle investigating after two more Java 7 zero-day flaws found

Summary:Polish security researchers have discovered yet more zero-day vulnerabilities in Java, the beleaguered Web plug-in, that led to the successful intrusion of Facebook, Apple and Microsoft in recent weeks.

Java is at the center of yet another security storm after Polish security researchers found not one, but two new separate zero-day flaws in the Web plug-in software.

Web users are once again warned to disable Java immediately to prevent any infection on production machines or networks. 

Read this

How to disable Java in your browser on Windows, Mac

Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in, here's how you do it.

Security firm Security Explorations submitted information about the bugs to Oracle, the developer of the Java 7 software, including proof-of-concept exploits that prove the bugs exist. However, in one of the cases, Oracle believes this is "allowed behavior," suggesting an apathy on the company's part to fix the alleged flaw. 

The two zero-day flaws are the latest in a number of problems affecting the Java plug-in, forcing Oracle to patch the software twice with emergency patches this year alone.

In a posting to the Seclists.org security forum, security researcher Adam Gowdiak said his firm had examined the latest Java 7 software update,  released on February 19 , and found two new security issues—dubbed Issue 54 and Issue 55—which "when combined together, can be successfully used to gain a complete Java security sandbox bypass in the environment of Java SE 7 (Update 15)."

He added: "Everything indicates that a ball is in Oracle's court. Again."

Issue 54 was "not treated as a vulnerability" by Oracle, Gowdiak said, as this demonstrates "allowed behavior." The security firm disagrees, however, because there was a mirror case corresponding with the 'flaw' that leads to an denied access and a security exception. However, Issue 55 was confirmed by Oracle. 

The researchers warned in the posting that should the Java maker stick to its belief that Issue 54 is not a security vulnerability, they will publish details of the flaw. 

Java 6, which Oracle no longer supports, is not affected by the newly discovered zero-day vulnerabilities.

It comes at a time when the multi-platform Web software is looked upon in unfavoring eyes after an older zero-day flaw led to the hacking of three major technology firms all within the same couple of weeks.

Facebook was first  to report a successful intrusion on its networks, then it  was Apple's turn , followed by  software giant Microsoft . A popular iPhone development Web site suffered a malware injection attack which led to visitors of the site with vulnerable Java software installed being infected.

These machines, used by employees of the aforementioned companies, were connected back to their corporate networks. The companies noted that  in all three cases  there was no evidence that data was stolen. 

Sophos security blogger Graham Cluley warned that the new zero-day flaws "could be exploited to completely bypass Java's security sandbox and infect computers in a similar fashion to the attacks which recently troubled the likes of Facebook, Apple and Microsoft."

Topics: Security

About

Zack Whittaker writes for ZDNet, CNET, and CBS News. He is based in New York City.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.