Oracle investigating after two more Java 7 zero-day flaws found

Polish security researchers have discovered yet more zero-day vulnerabilities in Java, the beleaguered Web plug-in, that led to the successful intrusion of Facebook, Apple and Microsoft in recent weeks.
Written by Zack Whittaker, Contributor

Java is at the center of yet another security storm after Polish security researchers found not one, but two new separate zero-day flaws in the Web plug-in software.

Web users are once again warned to disable Java immediately to prevent any infection on production machines or networks. 

Security firm Security Explorations submitted information about the bugs to Oracle, the developer of the Java 7 software, including proof-of-concept exploits that prove the bugs exist. However, in one of the cases, Oracle believes this is "allowed behavior," suggesting an apathy on the company's part to fix the alleged flaw. 

The two zero-day flaws are the latest in a number of problems affecting the Java plug-in, forcing Oracle to patch the software twice with emergency patches this year alone.

In a posting to the Seclists.org security forum, security researcher Adam Gowdiak said his firm had examined the latest Java 7 software update, released on February 19, and found two new security issues—dubbed Issue 54 and Issue 55—which "when combined together, can be successfully used to gain a complete Java security sandbox bypass in the environment of Java SE 7 (Update 15)."

He added: "Everything indicates that a ball is in Oracle's court. Again."

Issue 54 was "not treated as a vulnerability" by Oracle, Gowdiak said, as this demonstrates "allowed behavior." The security firm disagrees, however, because there was a mirror case corresponding with the 'flaw' that leads to an denied access and a security exception. However, Issue 55 was confirmed by Oracle. 

The researchers warned in the posting that should the Java maker stick to its belief that Issue 54 is not a security vulnerability, they will publish details of the flaw. 

Java 6, which Oracle no longer supports, is not affected by the newly discovered zero-day vulnerabilities.

It comes at a time when the multi-platform Web software is looked upon in unfavoring eyes after an older zero-day flaw led to the hacking of three major technology firms all within the same couple of weeks.

Facebook was first to report a successful intrusion on its networks, then it was Apple's turn, followed by software giant Microsoft. A popular iPhone development Web site suffered a malware injection attack which led to visitors of the site with vulnerable Java software installed being infected.

These machines, used by employees of the aforementioned companies, were connected back to their corporate networks. The companies noted that in all three cases there was no evidence that data was stolen. 

Sophos security blogger Graham Cluley warned that the new zero-day flaws "could be exploited to completely bypass Java's security sandbox and infect computers in a similar fashion to the attacks which recently troubled the likes of Facebook, Apple and Microsoft."

Editorial standards