A Patch, the Oracle for the leak in Java SE some time ago, had published, seems to be ineffective. Security researchers are now warning that attackers are able to execute leak arbitrary Code.
A well-known vulnerability in the Java SE, seems to be open again. Adam Gowdiak, the CEO of the Polish security provider, Security Explorations reported to Oracle have already been fixed in September 2013 the leak. But the Patch seems to be ineffective. Therefore, it is attackers are able to Code outside the Java Sandbox and execute.
“We have found out that the Oracle Patch can easily deal with it,” writes Gowdiak in a post on the Full Disclosure. Only four characters from the original, in October 2013, published attack code would need to be changed. In addition, a HTTP to Server to respond to a first request to a particular Java class with a “404 (not found)”error message.
Security Explorations provides the updated attack code, and also a detailed description of the vulnerability (PDF). Has been tested with Java SE 7 Update 97, Java SE 8 Update 74 and also the Early Access Build 108 of Java SE 9. Gowdiak, however, indicate that the Click2Play function, which obtains prior to the execution of Java Applets consent of a user is not affected.
If a web page tries to load a vulnerable application outside of the browser, users can get this warning to see. (Image: Microsoft)
The security researchers have informed Oracle in advance about the faulty Patch. As a reason it’s called a new Directive for the disclosure of security vulnerabilities. “Defect Fixes will no longer be tolerated. If we encounter a broken Fix for a vulnerability that we have already been reported to the manufacturer, it is made without notice to the public,” said Gowdiak more.
In addition, Gowdiak criticized Oracle’s valuation of the vulnerability. The company in October of 2013, and that the gap with the identifier CVE-2013-5838 only by using Java Web Start applications and Java could Applets are used. “We have confirmed that an Exploit is also used in a server environment, as well as with the Google App Engine for Java.”
Security Explorations power since the beginning of 2012 on security vulnerabilities in Java attention. The company accuses Oracle to provide Patches as soon as possible. In a presentation at the JavaLand conference in Brühl (PDF) reported to the security researchers of a in September 2012, the reported errors, the Oracle only in January 2013 have fixed. The company have implemented only by Security Explorations, a proposed Fix.
[mit Material von Stefan Beiersmann, ZDNet.de]
