Oracle investigating after two more Java 7 zero-day flaws found
Summary: Polish security researchers have discovered yet more zero-day vulnerabilities in Java, the beleaguered Web plug-in, that led to the successful intrusion of Facebook, Apple and Microsoft in recent weeks.
Java is at the center of yet another security storm after Polish security researchers found not one, but two new separate zero-day flaws in the Web plug-in software.
Web users are once again warned to disable Java immediately to prevent any infection on production machines or networks.
Read this
How to disable Java in your browser on Windows, Mac
Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in, here's how you do it.
Security firm Security Explorations submitted information about the bugs to Oracle, the developer of the Java 7 software, including proof-of-concept exploits that prove the bugs exist. However, in one of the cases, Oracle believes this is "allowed behavior," suggesting an apathy on the company's part to fix the alleged flaw.
The two zero-day flaws are the latest in a number of problems affecting the Java plug-in, forcing Oracle to patch the software twice with emergency patches this year alone.
In a posting to the Seclists.org security forum, security researcher Adam Gowdiak said his firm had examined the latest Java 7 software update, released on February 19, and found two new security issues—dubbed Issue 54 and Issue 55—which "when combined together, can be successfully used to gain a complete Java security sandbox bypass in the environment of Java SE 7 (Update 15)."
He added: "Everything indicates that a ball is in Oracle's court. Again."
Issue 54 was "not treated as a vulnerability" by Oracle, Gowdiak said, as this demonstrates "allowed behavior." The security firm disagrees, however, because there was a mirror case corresponding with the 'flaw' that leads to an denied access and a security exception. However, Issue 55 was confirmed by Oracle.
The researchers warned in the posting that should the Java maker stick to its belief that Issue 54 is not a security vulnerability, they will publish details of the flaw.
Java 6, which Oracle no longer supports, is not affected by the newly discovered zero-day vulnerabilities.
It comes at a time when the multi-platform Web software is looked upon in unfavoring eyes after an older zero-day flaw led to the hacking of three major technology firms all within the same couple of weeks.
Facebook was first to report a successful intrusion on its networks, then it was Apple's turn, followed by software giant Microsoft. A popular iPhone development Web site suffered a malware injection attack which led to visitors of the site with vulnerable Java software installed being infected.
These machines, used by employees of the aforementioned companies, were connected back to their corporate networks. The companies noted that in all three cases there was no evidence that data was stolen.
Sophos security blogger Graham Cluley warned that the new zero-day flaws "could be exploited to completely bypass Java's security sandbox and infect computers in a similar fashion to the attacks which recently troubled the likes of Facebook, Apple and Microsoft."
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
I feel sorry for the Java ecosystem
Looks like you'll need a Java virus protection system within your perimeter until you can escape the inevitable collapse.
Once the Cost-benefit equation turns sour the conditions are ripe for a general exodus leading to total collapse of the ecosystem.
The Java ecosystem is fine
Don't need Java? Uninstall it.
Need Java applications on your desktop, but don't need to run Java applets in your web browser? Block the Java plug-in from your web browser.
Need to run Java applets in your web browser? Use the GNU/Linux desktop as it's safer than either OS X or Windows. Want some security too? Create a Linux Security Module policy or profile for your web browser that includes running the Java plug-in.
The Java ecosystem is not fine
The Java ecosystem is MUCH bigger than the Java plug-in
P.S. Mozilla?! They'd be happy to see the Java plug-in disappear too.
Whooosh!
Yet
Quite amazing considering the market share of Windows compared to Linux. Again ridiculing the notion that Linux is safer, it simply isn't.
There is no apparent difference when it comes to using Linux, Windows or Osx when it comes to java, allthough using it on Windows with IE or chrome would be a good idea due to sandboxing.
Links?
"When some security firms released reports about the high profile java vulernerability that infected a large number of OSX machines, quite a few Linux machines also were reporting.
Are you implying that employees at Apple and in Microsoft's Mac software division run GNU/Linux desktops? Again, please provide some links (or even one link) stating that GNU/Linux desktops were compromised along with OS X desktops.
sjaak327 also wrote:
"... java, allthough using it on Windows with IE or chrome would be a good idea due to sandboxing.
Currently, no web browser on any platform sandboxes the Java plug-in. That includes IE and Chrome on Windows. That's why I stated that GNU/Linux users would have to create (or modify existing) LSM profiles or policies for their web browser to include protection for the Java plug-in.
Links ?
Lsm profiles ? Please, Windows has MIC, the java plugin cannot (without elevation) interfere with any other process, as it inherits the itegrety level of the browser, which by default runs on the lowest integrety level already.
Sorry
http://www.zdnet.com/blog/bott/second-source-confirms-1-in-100-macs-are-infected-by-flashback/4737
See after all I still did the work for you :)
Not an Option
Still, the problem isn't Java, per se, but how aggressively it is being exploited by hackers. Microsoft Windows used to hold the title for the most vulnerable and most exploited platform. But hackers seem to have moved on to Java - not a bad move, from their perspective, since Oracle is now like Microsoft once was, that is, very casual where security is concerned. Unlike Windows, however, Java is neither as ubiquitous or essential. If Oracle doesn't get their act together, people are going to be moving away from Java - as they have been from Flash - for more secure and reliable content platforms.
Rationality
Apathy
I was beginning to wonder the same thing, pard
JAVA Just Another Virus Application
Cute acronym
Time to move on. If you can't, you have my sympathies.
Revert
It could be another donation to Apache foundation
Nope
How many security issues have been found with Silverlight?
The bucket of puke James Gosling sure talked a good game regarding C# and unsafe code, but it's his pathetic joke of a language that is the true embarrassment. Java has always been and will always be a pathetic joke written by a worthless sack of shit.
What part of YOU excuses ME?
Of course not.
Just because Silverlight may have holes doesn't excuse other code having holes.
.