Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco, researchers from the Polish firm Security Explorations disclosed yet another critical Java vulnerability that might "spoil the taste of Larry Ellison's morning...Java."
If you disabled Java when the last zero-day exploit was spotted in the wild, then you might consider doing so again . . . or dumping Java altogether? According to Security Explorations researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects "one billion users of Oracle Java SE software."
Appalled to learn that Oracle/Java has another huge critical hole, I reached out to Adam Gowdiak in an email interview.
Interview with Security Explorations' CEO Adam Gowdiak:
I wanted to clarify that this is yet another new critical Java zero-day that places one billion users at risk (again)?
Gowdiak: That's right. This is a completely new issue (announced today). It has however bigger impact than any previous issue we found as part of our Java security research project as it affects Java 5, 6 and 7. Most of our previous findings were primarily affecting Java version 7.
Unlike the last critical security flaw that Oracle just patched on August 30, this critical Java bug affects all the newest versions of Java since the last patch?
Gowdiak: That's right.
If you have the Java plugin and use any of these browsers, Chrome, Firefox, Internet Explorer, Opera and Safari then you are vulnerable?
Gowdiak: Yes. We tested the latest web browsers with the latest Java SE software.
This is Security Explorations anniversary 50th Java bug discovery? (Issue 50 states: This proof-of-concept is a "complete Java security sandbox bypass.")
Gowdiak: Yes. We found a total of 50 issues in various Java SE implementations:
- 31 issues reported to Oracle (17 differentcomplete sandbox bypass exploits)
- 2 Issues reported to Apple (1 complete sandbox bypass exploit)
- 17 issues reported to IBM (10 different complete sandbox bypass exploits).
You see the timeline of reporting them here: http://www.security-explorations.com/en/SE-2012-01-status.html
So what did Oracle reply to you?
Gowdiak: We haven't heard from them yet.
Softpedia stated, 'The researchers have confirmed that Java SE 5 - Update 22, Java SE 6 - Update 35, and Java SE 7 Update 7 running on fully patched Windows 7 32-bit operating systems are susceptible to the attack.' Does that imply that fully patched Window 7 64-bit systems are not vulnerable to the attack? Is it only Windows 7?
Gowdiak: No. It's gonna be Windows 7 32-bit and well as 64-bit. We simply did our test on Windows 7 32-bit. But, it does not matter because all operating systems supported by Oracle Java SE (such as Windows, Linux, Solaris, MacOS) are vulnerable as long as they have Java 5, 6 or 7 installed and enabled.
Sign up for CIO Asia eNewsletters.