Wednesday, September 26, 2012

Researchers Find Yet Another Zero-Day Java Flaw

Java Flaw WarningSecurity researchers at Polish firm Security Explorations announced that they have found yet another security vulnerability in Oracle’s Java SE software that would allow a malicious attacker to gain complete control of a user’s system.

The new exploit affects Java SE 5, 6, and 7, which means over a billion PCs are at risk if Oracle’s reported number desktops running Java are accurate.

According to Adam Gowdiak of Security Explorations, all tests were successfully conducted in the environment of a fully patched Windows 7 32-bit system using Firefox, Chrome, Internet Explorer, Opera and Safari, but that doesn’t mean other operating systems are safe.

As Gowdiak explained to Computer World, “We simply did our test on Windows 7 32-bit. But, it does not matter because all operating systems supported by Oracle Java SE (such as Windows, Linux, Solaris, MacOS) are vulnerable as long as they have Java 5, 6 or 7 installed and enabled.”

The new bug marks the 50th security flaw that Security Explorations has discovered within Java, and they have already submitted a technical description of the issue “along with a source and binary codes of our Proof of Concept code demonstrating a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7” to Oracle for review.

So far, Oracle has not commented on this new exploit.

For those who are wondering (and you should be), there is no proof that this flaw is being actively exploited in-the-wild at this time, however, the clock is ticking. Let's not also forget that Oracle has yet to close the security holes present in their most recent out-of-band patch, which was issued to fix the last Java zero-day to make headlines.

Once again, if you don't need Java on your PC, remove it. If you do need Java, then it's best you dedicate a single browser to handle all of your Java-enabled website browsing, and disable the plug-in in your remaining web browsers.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet“Like” us on Facebook or add us to your circle on Google+.

No comments:

Post a Comment