Five new Java SE 7 flaws spotted

11 years ago

A Polish security reported yesterday that it discovered five new vulnerabilities in Oracle Corp.’s popular Java software.

The new security flaws can potentially be used by attackers to bypass Java’s sandbox and install malware, according to Security Explorations, a security and vulnerability research firm.

“The five new security flaws were discovered in Java SE 7 (numbered 56 to 60), which when combined together can be successfully used to gain complete Java security sandbox bypass in the environment of Java SE 7 Update 15,” Adam Gowdiak, CEO of Security Exploration, wrote in a blog on the security news site SecureList.Org.

Two of the items Secure Exploration found could be affecting Java SE 6 as well, he said.

“The attack breaks a couple of security checks introduced to Java SE by Oracle over the recent months,” Gowdiak added. “It also exploits code fragments that were missing proper security checks corresponding to the very mirror code.

The discovery of the latest five vulnerabilities comes just a week after Security Exploration reported two other flaws in Oracle’s plug-in used to run Java applications in a browser.

Earlier, Oracle announced that it was speeding up its Java patch process particularly to address security issues regarding the Java Runtime Environment in desktop browsers.

In recent weeks, security experts have expressed concerns of Oracle’s ability to keep its software safe from attacks following a string of Java patch problems.

Early in February, the United States Department of Homeland Security even urged computer administrators and users to disable Java plug-ins in the browser because of a major vulnerability in the software.

Oracle immediately issued an emergency security update to Java 7. That emergency patch, however, failed to address two new vulnerabilities which could enable attackers to execute arbitrary code on computers.

Read the SecList.Org blog here