New security hole found in Java 

Barely had Java been patched and updated when a new security hole was discovered by a team of Polish researchers, a security vendor said Wednesday night.

 

Sophos said the flaw can be exploited to bypass Java’s secure application “sandbox,” this time on many more versions of Java.

 

Adam Gowdiak, CEO of Poland-based Security Explorations, said the flaw is found in Oracle’s Java Standard Edition (SE), adding a proof-of-concept exploit allows “complete Java security sandbox bypass.”

 

"The latest hole is more serious because it affects more versions of the Java SE software. According to Gowdiak, the exploit worked with Java SE versions 5, 6 and 7, including the latest version of Java: SE 7 update 7 running on a fully patched Windows 7 32-bit OS," Sophos said in a blog post.

 

Sophos quoted Oracle as saying "roughly a billion devices globally" run one of those versions of the Java software.

 

Without explaining further, Gowdiak said the flaw “allows to violate a fundamental security constraint of a Java Virtual Machine (type safety).”

 

He said an attacker with knowledge of the security hole and how to exploit it could mount an attack using a specially crafted website or banner advertisement.

 

A malicious Java application can be used trigger the hole and gain control over the vulnerable system, Gowdiak said.

 

“Upon convincing the user to visit such a website, typically by getting them to click a link in an email or in an Instant Messenger message, malicious web content could be delivered to affected systems,” Gowdiak said, adding the vulnerability is deemed “critical.”

 

He said they managed to successfully exploit it and achieve a complete Java security sandbox bypass.

 

Last August, Security Explorations claimed responsibility for discovering critical vulnerabilities in Java 7, which it disclosed to Oracle in April 2012.

 

But Oracle did not rush to fix them, and by August, two of the flaws were re-discovered independently and publicly disclosed, triggering to a wave of malware attacks.

 

The latest vulnerability, labeled “Issue 50,” was disclosed to Oracle on Tuesday and the company has not yet responded to it, Sophos said. — TJD, GMA News