Java update 'doesn't prevent silent exploits at all'

Java update 'doesn't prevent silent exploits at all'

Summary: Holes still exist in Oracle's Java software that could potentially leave machines open to remote execution of malicious code, according to a researcher.

SHARE:
TOPICS: Security, Oracle
59

An update for Java Standard Edition 7 (SE7) - which was supposed to fix a high-profile critical vulnerability that left machines susceptible to remote exploits - has failed to solve all the issues with the software, leaving the door open to further attacks.

The zero-day vulnerability, uncovered in January, was widely reported to have been exploited in the wild, leading Homeland Security in the US to recommend disabling Java altogether. Following the bad press, Oracle quickly rolled out a fix for the issue in the form of Java SE7 Update 11.

However, Adam Gowdiak, a researcher from Security Explorations, said on the Full Disclosure mailing list on Sunday that there is another vulnerability in Java that allows remote execution of malicious code - that is, the running of unsigned Java content in a web page.

"What we found out and what is a subject of a new security vulnerability (Issue 53) is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings," Gowdiak wrote.

The four Java control panel settings are security settings introduced in Java SE7 Update 10 in October 2012 to control the access unsigned Java apps have to the system. It allows a user to set Java's web security as low, medium, high or very high. A setting of 'very high' means that unsigned apps should not run outside of the sandbox environment, which in theory protects the user from any potential threats.

"Issue 53 has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with 'Very High' Java Control Panel security settings," Gowdiak wrote in the disclosure. "Recently made security 'improvements' to Java SE 7 software don't prevent silent exploits at all," he added.

Java is often a high-profile target for malicious software makers and online ne'er-do-wells as it has such a large install base (it is currently in use on more than 850 million PCs and Macs) and frequent critically rated security vulnerabilities.

Topics: Security, Oracle

Ben Woods

About Ben Woods

With several years' experience covering everything in the world of telecoms and mobility, Ben's your man if it involves a smartphone, tablet, laptop, or any other piece of tech small enough to carry around with you.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

59 comments
Log in or register to join the discussion
  • Is this another case of "It doesn't prevent the person sitting

    at the computer from being stupid and allowing this stuff to run?
    Lerianis10
    • silent exploit

      @Lerianis10, unfortunately, no. From the Full Disclosure posting, an exploit can be crafted that bypasses any security setting and it can also be a silent exploit.


      What we found out and what is a subject of a new security
      vulnerability (Issue 53) is that unsigned Java code can be
      successfully executed on a target Windows system regardless
      of the four Java Control Panel settings described above.
      Our Proof of Concept code that illustrates Issue 53 has been
      successfully executed in the environment of latest Java SE
      7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS
      and with "Very High" Java Control Panel security settings.

      That said, recently made security "improvements" to Java
      SE 7 software don't prevent silent exploits at all. Users
      that require Java content in the web browser need to rely
      on a Click to Play technology implemented by several web
      browser vendors in order to mitigate the risk of a silent
      Java Plugin exploit.

      Thank you.

      Best Regards
      Adam Gowdiak
      George Marengo
      • Open source security failed again

        The myth of "many eyes reviewing" should rest in peace now.
        LBiege
        • i'm not pro-Java

          but I think Oracle's implementation of its JVM is not open-source.
          adsl_uplb
        • when was it

          free technology? Sun had a better history. Oracle blew it. IcedTea code is more secure, AMOF.
          There shouldn't be client-side executable code at all. Noscript+Firefox is the best solution until there is javascript/flash and no need for jre in the browser.
          eulampius
        • Open Source

          Wow, I don't know WTF you came up with that gem. Java as its used by developers on devices is not the issue at all. Which is why my android device never has issues: many custom ROMs are developed by people who actually know what they are doing.

          Oracle, obviously, does not. As they've proven time and time again. How one of the largest software companies in the world can't actually write code that works, is mind boggling.
          screamino
          • I love Android but....

            I also love Swiss Cheese. Android is not secure and always needs an antivirus.
            jsargent
        • LOL

          Sun JRE on Windows is open-source???
          Somebody just came back from time-travelling...
          mslinux
      • "Target Windows System"

        Now is this just a reporter not knowing what to say or is this Windows only?
        sysop-dr
  • proprietary sw is lame and unsecure

    this is why the FOSS will prevail in its fight with the axis of exil:M$, apple and oracle.
    LlNUX Geek
    • @LINUX Geek

      I think you might need to take a bubble bath and relax a while.
      MC_z
      • back to the fry station little boy...

        just keep saying it; eventually you will have maybe a 100 people. Just like "Remember the Maine"...
        ScanBack
        • that reply was for LinuxDink

          not MC_z... hate the no edit option.
          ScanBack
      • Perhaps...

        ...add a valium and a nap after the bubble bath. Seriously, go troll somewhere else, LinuxDink (I like that one, ScanBack).
        Draclvr
    • Sure, right.

      Now don't forget your meds again - the delusions are getting worse.
      athynz
  • The only save JAVA

    is an uninstalled JAVA. I recently removed JAVA from my work desktop and home laptop and have not yet run into any situation or web site that needed it. JAVA just needs to go away.
    Digger_z
    • "FreeMind" requires Java, so disable Java for all browsers...

      Found this from another source - This allows you to keep Java around for non-browser applications.

      (1) Run Java's control panel, javacpl.exe, locatec in C:\Program Files (x86)\Java\jre7\bin or C:\Program Files\Java\jre7\bin (or somewhere similar)

      (2) On the Security tab, uncheck the "Enable Java Content in the browser" checkbox.

      (3) Restart your browser(s) if running.
      Bruce Lang
      • Java may be needed for some apps...

        Unfortunately the author of the "article" did not mention the very important step suggested by Bruce Lang - which I strongly agree with. There are commercial applications that require the JRE, and if needed, at least uncoupling from the browser may offer some degree of security.
        randysmith@...
      • uncheck the "Enable Java Content in the browser"

        Tried but could not find any where in any of the tabs where it said anything similar to "Enable Java Content in the browser".
        buchajaa
        • uncheck the "Enable Java Content in the browser"

          You will find that information in the security tab. Go to the control panel and click the java icon. Uncheck the box. If you use just the 32 bit java that is all you need to do there. If you also installed the 64 bit the icon in the control panel is for the 64 bit only. You now have go to windows explorer go to programe files ( 86 ) this is ware the 32 bit java is. scroll down to java click java ,click the bin folder, scroll down to javacpl.exe and open it. go to security and uncheck the box. You are not done. Go into an internet explorer site click on tools in the tool bar up top, find manage add ons open it scrool thru, be sure that the java plug-ins are disabled if not disable them.... Now you are done.
          Meadow19@...