At first Oracle researchers fixed Java, or so they thought as new sandbox bypass vulnerabilities are in the latest update.
“We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11,” said Java security researcher Adam Gowdiak of Security Explorations in Poland.
Gowdiak said his organization reported two new flaws to Oracle, along with working proof-of-concept code, a single exploit that relies on two vulnerabilities. He will not share details on the vulnerabilities, but said Oracle did confirm it had received the information he sent and had begun looking into the problem.
Reports started to surface the Java 7u11 update was incomplete, and that a vulnerability in the Java MBeanInstantiator had not been patched as promised by Oracle when it released the update last Sunday night. Researcher Esteban Guillardoy of Immunity Inc. said attackers could pair that vulnerability with the reflection API with recursion in order to bypass Java security checks. The reflection issue ended up corrected in 7u11; Guillardoy said attackers with enough working knowledge of Java could pair another vulnerability with the MBeanInstantiator bug and have a working exploit.
Gowdiak said the lack of a fix for the flaw inspired him to look for new issues.
“Leaving MBeanInstantiator issue unfixed was like an invitation to hack Java again. All that was required was to find another bug that could be combined with it,” Gowdiak said. “We have however decided not to rely on that unfixed bug and decided to find two completely new ones instead.”
The latest Java woes started Jan. 9 when reports surfaced from researchers that new Java exploits were present in all the major exploit kits, including Blackhole, Cool and Redkit.
Oracle responded on Monday with an out-of-band update that it said included patches for the two vulnerabilities as well as a change to the default security configuration in Java. Oracle changed it from medium to high, meaning unsigned Java applets, or self-signed applets, would prompt the user before executing. Experts said this was a good first step, but would not deter social engineering attacks that could trick a user into allowing an applet to execute, or an attacker from using a stolen, valid certificate to run a malicious applet automatically.