Oracle investigating after two more Java 7 zero-day flaws found

Oracle investigating after two more Java 7 zero-day flaws found

Summary: Polish security researchers have discovered yet more zero-day vulnerabilities in Java, the beleaguered Web plug-in, that led to the successful intrusion of Facebook, Apple and Microsoft in recent weeks.

TOPICS: Security

Java is at the center of yet another security storm after Polish security researchers found not one, but two new separate zero-day flaws in the Web plug-in software.

Web users are once again warned to disable Java immediately to prevent any infection on production machines or networks. 

Read this

How to disable Java in your browser on Windows, Mac

How to disable Java in your browser on Windows, Mac

Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in, here's how you do it.

Security firm Security Explorations submitted information about the bugs to Oracle, the developer of the Java 7 software, including proof-of-concept exploits that prove the bugs exist. However, in one of the cases, Oracle believes this is "allowed behavior," suggesting an apathy on the company's part to fix the alleged flaw. 

The two zero-day flaws are the latest in a number of problems affecting the Java plug-in, forcing Oracle to patch the software twice with emergency patches this year alone.

In a posting to the security forum, security researcher Adam Gowdiak said his firm had examined the latest Java 7 software update, released on February 19, and found two new security issues—dubbed Issue 54 and Issue 55—which "when combined together, can be successfully used to gain a complete Java security sandbox bypass in the environment of Java SE 7 (Update 15)."

He added: "Everything indicates that a ball is in Oracle's court. Again."

Issue 54 was "not treated as a vulnerability" by Oracle, Gowdiak said, as this demonstrates "allowed behavior." The security firm disagrees, however, because there was a mirror case corresponding with the 'flaw' that leads to an denied access and a security exception. However, Issue 55 was confirmed by Oracle. 

The researchers warned in the posting that should the Java maker stick to its belief that Issue 54 is not a security vulnerability, they will publish details of the flaw. 

Java 6, which Oracle no longer supports, is not affected by the newly discovered zero-day vulnerabilities.

It comes at a time when the multi-platform Web software is looked upon in unfavoring eyes after an older zero-day flaw led to the hacking of three major technology firms all within the same couple of weeks.

Facebook was first to report a successful intrusion on its networks, then it was Apple's turn, followed by software giant Microsoft. A popular iPhone development Web site suffered a malware injection attack which led to visitors of the site with vulnerable Java software installed being infected.

These machines, used by employees of the aforementioned companies, were connected back to their corporate networks. The companies noted that in all three cases there was no evidence that data was stolen. 

Sophos security blogger Graham Cluley warned that the new zero-day flaws "could be exploited to completely bypass Java's security sandbox and infect computers in a similar fashion to the attacks which recently troubled the likes of Facebook, Apple and Microsoft."

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I feel sorry for the Java ecosystem

    You've all been lead down the primrose path.

    Looks like you'll need a Java virus protection system within your perimeter until you can escape the inevitable collapse.

    Once the Cost-benefit equation turns sour the conditions are ripe for a general exodus leading to total collapse of the ecosystem.
    • The Java ecosystem is fine

      It's the Java plug-in for web browsers that is the problem.

      Don't need Java? Uninstall it.

      Need Java applications on your desktop, but don't need to run Java applets in your web browser? Block the Java plug-in from your web browser.

      Need to run Java applets in your web browser? Use the GNU/Linux desktop as it's safer than either OS X or Windows. Want some security too? Create a Linux Security Module policy or profile for your web browser that includes running the Java plug-in.
      Rabid Howler Monkey
      • The Java ecosystem is not fine

        If it was fine then this plug-in wouldn't be an issue. It's Oracle's plug-in, not Mozilla's.
        • The Java ecosystem is MUCH bigger than the Java plug-in

          The Java plug-in could disappear tomorrow and Oracle wouldn't blink an eye. Lots of Java applications, Java-based middleware and Java server pages out there ...

          P.S. Mozilla?! They'd be happy to see the Java plug-in disappear too.
          Rabid Howler Monkey
        • Whooosh!

          Was that a Cessna?
      • Yet

        When some security firms released reports about the high profile java vulernerability that infected a large number of OSX machines, quite a few Linux machines also were reporting. And quite surprisinly a very small percentage of Windows machines were reporting back. (The percentage of Linux machines was higher than the percentage of Windows machines).

        Quite amazing considering the market share of Windows compared to Linux. Again ridiculing the notion that Linux is safer, it simply isn't.

        There is no apparent difference when it comes to using Linux, Windows or Osx when it comes to java, allthough using it on Windows with IE or chrome would be a good idea due to sandboxing.
        • Links?

          sjaak327 wrote:
          "When some security firms released reports about the high profile java vulernerability that infected a large number of OSX machines, quite a few Linux machines also were reporting.

          Are you implying that employees at Apple and in Microsoft's Mac software division run GNU/Linux desktops? Again, please provide some links (or even one link) stating that GNU/Linux desktops were compromised along with OS X desktops.

          sjaak327 also wrote:
          "... java, allthough using it on Windows with IE or chrome would be a good idea due to sandboxing.

          Currently, no web browser on any platform sandboxes the Java plug-in. That includes IE and Chrome on Windows. That's why I stated that GNU/Linux users would have to create (or modify existing) LSM profiles or policies for their web browser to include protection for the Java plug-in.
          Rabid Howler Monkey
          • Links ?

            The java vulnerability that infected over 600.000 macs has been discussed to death on this very site. Including the figures I talked about. It seems you suffer from a short memory. I would suggest you search instead of asking me to provide links, one thing is for sure, I am not making this up.

            Lsm profiles ? Please, Windows has MIC, the java plugin cannot (without elevation) interfere with any other process, as it inherits the itegrety level of the browser, which by default runs on the lowest integrety level already.
          • Sorry

            Can't edit. I was talking about flashback.


            See after all I still did the work for you :)
      • Not an Option

        Linux is not an option for the overwhelming majority of computer users. It may be hog heaven for some geeks, but for most of us it's far more trouble than it's worth. Unfortunately, turning Java off in web browsers is harder with some browsers than with others. It's a simple, easily found setting in Safari. In Chrome and Firefox, not so much. Perhaps those browser developers still think Java is the coolest thing since sliced bread; it's clearly not a setting they care to give users control over. Oracle is not the only one, then, that is behind the curve on Java security issues.

        Still, the problem isn't Java, per se, but how aggressively it is being exploited by hackers. Microsoft Windows used to hold the title for the most vulnerable and most exploited platform. But hackers seem to have moved on to Java - not a bad move, from their perspective, since Oracle is now like Microsoft once was, that is, very casual where security is concerned. Unlike Windows, however, Java is neither as ubiquitous or essential. If Oracle doesn't get their act together, people are going to be moving away from Java - as they have been from Flash - for more secure and reliable content platforms.
        • Rationality

          Unix in ANY form is NOT a viable option for the AVERAGE computer user.
  • Apathy

    Its becoming increasingly clear that Oracle does not care about Java.
    • I was beginning to wonder the same thing, pard

      One thing after another. Seems as if, either, somebody's hot to bring Oracle to its knees (or lower), or Oracle simply doesn't give a rodent's flapper valve. I truly hope no sensible developers are writing web apps that rely upon Java. Not a good investment of effort, I would think.
  • JAVA Just Another Virus Application

    Always was, always will be. Just kill it and be done with the crapware.
    Reality Bites
    • Cute acronym

      But Java is as it always was - slow, clunky and requires plug-ins and/or a virtual machine to run. Luckily MS doesn't ship it with Windows or we'd really be in trouble. You either fell into the rabbit hole yourself or you're trapped in a company with slow and clunky legacy applications.

      Time to move on. If you can't, you have my sympathies.
  • Revert

    Yet another reason to stick with Java 6. Oracle really should revert all the security-loosening changes they made from 6 to 7. They make things more convenient for developers, but obviously didn't have enough development before being released.
  • It could be another donation to Apache foundation

    perhaps that would change the dynamic...
    Tomas M.
    • Nope

      Oracle, with IBM's assistance, killed The Apache Software Foundation's Harmony project. But, not before Google took what they needed for Dalvik.
      Rabid Howler Monkey
  • How many security issues have been found with Silverlight?

    With .NET?

    The bucket of puke James Gosling sure talked a good game regarding C# and unsafe code, but it's his pathetic joke of a language that is the true embarrassment. Java has always been and will always be a pathetic joke written by a worthless sack of shit.
    • What part of YOU excuses ME?

      Jack, Lets say you're a Carreer Bank Robber yet to be caught, does that make it OK for me to hold up a convenience store?

      Of course not.

      Just because Silverlight may have holes doesn't excuse other code having holes.

      Rob Berman