Oracle confirms Java 7 flaw, says another is 'allowed behavior'

Oracle confirms Java 7 flaw, says another is 'allowed behavior'

Summary: A security researcher gives Oracle two weeks to change its mind that an issue he reported is not a security flaw, or else he'll let the public be the judge.

TOPICS: Oracle

Oracle has disputed a claim that Java SE 7 contains a security flaw, but the researcher that found it disagrees and says he may release details next week unless Oracle changes its assessment.

Adam Gowdiak, CEO of Polish security firm Security Explorations, reported two new security "issues" to Oracle on Monday, noting that they were specific to Java SE 7 below Update 15, the latest Java 7 update which Oracle released on February 19.

Oracle is not scheduled to release the next Java update until April 16, but if an exploit for the flaws reach the wrong hands, it may be forced to. Oracle notably released an out-of-band update for Java on February 1 to fix 50 Java 7 flaws, including one affecting the Java browser plugin that attackers were exploiting. The update preceded admissions by Facebook, Apple and Microsoft that some of their developers had been hacked using an exploit for the plugin.

Days prior to Oracle's update, Gowdiak also warned that Java SE 7 Update 11 was vulnerable to a remote attack.

Gowdiak says both new issues could allow an attacker to "abuse the Reflection API in a particularly interesting way."

"We gained a complete Java security sandbox bypass under Java SE 7 Update 15 and below," he told by email.

Oracle yesterday confirmed one of the issues, which the researcher labels "issue 55," was a flaw, but disputed the other, "issue 54", as "allowed behavior".

Gowdiak disagrees with Oracle's assessment of issue 54 and says he will be forced to "leave it to the public" to decide if it does not change its position within one or two weeks.

While the specific behavior in issue 54 might be permitted, Gowdiak says that individual security bypasses in a Java virtual machine (VM) environment should not be assessed in isolation.

"In many cases, it is difficult to judge Java security flaws separately as this can lead to misleading conclusions. In Java VM environment, usually more than one, partial security bypass issue needs to be combined together to achieve a complete security compromise. As for the attack itself, it is quite easy to setup," he said.

Posting to today, he said there is "a mirror case corresponding to Issue 54 that leads to access denied condition and a security exception". 

"It's a public API case versus private code path case. Public API denies access and throws a security exception, while private code path does not signal any problems (access is allowed)," he explained.

ZDNet asked Oracle to confirm its assessment of the reported flaws but had not received a response at the time of writing.

"We might start considering the release of Issue 54 details if [Oracle] still treats it as the "allowed behavior" and not a vulnerability. In such a case, the public opinion will have the opportunity to make a judgment on its own," said Gowdiak, adding that "one or two weeks" should be enough.

Topic: Oracle

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Another Java security flaw... shocking.

  • What is upsetting about bug whistleblowing these days

    is that if security experts use the right channels and don't make headway, they often get into legal problems for going public with the problem. But if they don't, someone who genuinely wants to abuse the product flaw will be the first to exploit it - a no win scenario.
  • he should just publish it

    Oracle says it is allowed behavior, so there will be no harm in publishing it.
  • Doesn't he say that it was fixed...

    In the latest releases?
    Keep your Java plugin up-to-date.
  • Perfect idea

    Disable - don't uninstall - Java.
    Wait a bit. No issues, remove it. That's what I'm doing shortly. I'm just about to eventer the removal phase.
  • The Usual Reminder

    This isn't about Java as such, it's about running Java applets within a web browser.