Java update 'doesn't prevent silent exploits at all'
Summary: Holes still exist in Oracle's Java software that could potentially leave machines open to remote execution of malicious code, according to a researcher.
The zero-day vulnerability, uncovered in January, was widely reported to have been exploited in the wild, leading Homeland Security in the US to recommend disabling Java altogether. Following the bad press, Oracle quickly rolled out a fix for the issue in the form of Java SE7 Update 11.
However, Adam Gowdiak, a researcher from Security Explorations, said on the Full Disclosure mailing list on Sunday that there is another vulnerability in Java that allows remote execution of malicious code - that is, the running of unsigned Java content in a web page.
"What we found out and what is a subject of a new security vulnerability (Issue 53) is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings," Gowdiak wrote.
The four Java control panel settings are security settings introduced in Java SE7 Update 10 in October 2012 to control the access unsigned Java apps have to the system. It allows a user to set Java's web security as low, medium, high or very high. A setting of 'very high' means that unsigned apps should not run outside of the sandbox environment, which in theory protects the user from any potential threats.
"Issue 53 has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with 'Very High' Java Control Panel security settings," Gowdiak wrote in the disclosure. "Recently made security 'improvements' to Java SE 7 software don't prevent silent exploits at all," he added.
Java is often a high-profile target for malicious software makers and online ne'er-do-wells as it has such a large install base (it is currently in use on more than 850 million PCs and Macs) and frequent critically rated security vulnerabilities.