So you have read about the recent vulnerabilities discovered in Java that attackers used to spread malware? Have you installed the latest out-of-band update that Oracle released in order to close those vulnerabilities? Think it’s time to move on to other stories? Well, think again.
Computer World is reporting that another serious vulnerability in the latest update has been discovered that could allow an attacker to escape the Java security sandbox and run arbitrary code on your system. The vulnerability was discovered by a Polish security firm called Security Explorations and has been reported to Oracle, according to their CEO, Adam Gowdiak. He has also stated that they will not be releasing any technical details on the vulnerability until Oracle issues a fix.
In an email to IDG News Service, he states,
“Once we found that our complete Java sandbox bypass codes stopped working after the update was applied, we looked again at POC codes and started to think about the possible ways of how to fully break the latest Java update again,” Gowdiak said. “A new idea came, it was verified and it turned out that this was it.”
Oracle hasn’t hinted whether they will be releasing an out-of-band update like the previous one or just include the patch in the scheduled October update. With vulnerabilities being discovered at such a fast pace, it might be time for Oracle to re-consider their four month update cycle. With the time span for fixing these vulnerabilities increasing, the chances of these vulnerabilities being used to attack users also increase leaving users with greater risk.
At this moment, the best option for you is to disable Java if you don’t really use it. Alternately, you can disable Java in your primary browser and use a secondary browser only to use web apps that require Java (if you absolutely need to use those web apps and are sure that those are not rogue) so that you don’t wander into compromised websites that make use of Java vulnerabilities.