New Java vulnerability found


java vulnerabilityLast week, Java pre-released the updates to patch 42 vulnerabilities which could have been exploited remotely without using a username and password. But the security researcher has found a new un-patched vulnerability that is present in all the Java SE 7 versions.

A Polish researcher, Gowdiak has found a vulnerability and has posted the same on his website along with the proof of concept. Gowdiak explained the vulnerability saying,

The new flaw was verified to affect all versions of Java SE
7 (including the recently released 1.7.0_21-b11). It can be
used to achieve a complete Java security sandbox bypass on
a target system. Successful exploitation in a web browser
scenario requires proper user interaction (a user needs to
accept the risk of executing a potentially malicious Java
application when a security warning window is displayed).

What's interesting is that the new issue is present not only
in JRE Plugin / JDK software, but also the recently announced
Server JRE as well

This does raise the security concern because the hackers can exploit the vulnerability to malicious use. Oracle was always criticized in the past for not being serious on patching the holes. Such was the delay from the Oracle that Apple had to release its own Java patch to fix the vulnerability. Use of Java in most of the application these days makes it the priority target for the hackers.

If you don’t need Java, remove it. Why put yourself at risk?. Because most of the users don’t need Java in their browser and it is not used for websites, so the websites will work fine .

For disabling Java, click on the link for the browser you are using:-

Source Naked Security, Seclist

Advertisements

One response to “New Java vulnerability found

  1. The good news is that the security company says the exploit is “not very reliable” as it tries to overwrite a big chunk of memory and often results in the JVM crashing.

Comments are closed.