A research firm has discovered what's being called a critical flaw in Java SE that could enable an attacker to bypass a key security safeguard, potentially putting as many as 1 billion Java installations at risk.
The vulnerability, found by security research consultancy Security Exploitations, was disclosed Tuesday via the Seclists.org Full Disclosure mailing list. The issue affects specific builds of Oracle Corp.'s Java SE, versions 5, 6, and 7.
Adam Gowdiak, Security Exploitations founder and CEO, wrote that his group was able to use the flaw to bypass the security measures of the Java sandbox, a special memory area that the Java Virtual Machine (JVM) sets aside for the execution of untrusted code. An attacker could use the flaw to execute malicious code and gain at least partial control over a target system.
Gowdiak told Computerworld that while Security Exploitations tested the flaw on a fully patched Windows 7 32-bit system using the Firefox, Google Chrome, Internet Explorer, Opera and Safari Web browsers, virtually any endpoint running Windows, Linux, Solaris or MacOS that has Java SE version 5, 6, or 7 installed is vulnerable.
In his Seclists post, Gowdiak said information on the vulnerability was provided to Oracle. As of Wednesday morning, Oracle has yet to respond. To secure endpoints in the meantime, told Computerworld that Java Web browser plugins should be disabled until Oracle issues patches.
Word of the new flaw comes just weeks after Oracle issued a rare emergency out-of-band patch for a Java zero-day flaw. That Java flaw enabled an attacker to install a dropper onto infected systems, which are then instructed to download additional malware from a remote server. However, researchers quickly discovered a flaw in Oracle's patch.
The new Java problem was announced on the eve of Oracle's annual JavaOne conference, likely as a dig to Oracle, a company whose approach to software security has come under heavy criticism in recent years.
"We hope that a news about 1 billion users of Oracle Java SE software being vulnerable to yet another security flaw is not gonna spoil the taste of Larry Ellison's morning…Java," Gowdiak wrote.
Moving past the Java browser plug-in.