Netsec whack-a-mole

Another exploit found in latest Java security patch

Elliot Bentley
lock21

Friday’s emergency update can still be bypassed, and Oracle’s reaction doesn’t inspire confidence.

At the
back end of last week, Oracle finally caved to days of increasingly
negative press over the security holes in Java SE, releasing an
emergency patch intended to fix all outstanding issues. While
hardly making up for months of ignoring security researchers’
warnings, it at least silenced critics (like
us
) worrying that it would be neglected until the next security
update, scheduled for October.

Unfortunately, it appears that even this hasn’t been enough. Adam
Gowdiak of Security Explorations, who last week revealed that
Oracle had failed to act on known exploits since April, delivered
another blow to the company by revealing on the Bugtraq
mailing list
that “not all security issues that were reported
in Apr 2012 got addressed by the recent Java update”.

Today we sent a security vulnerability report along with a Proof
of Concept code to Oracle. The code successfully demonstrates a
complete JVM sandbox bypass in the environment of a latest Java SE
software (version 7 Update 7 released on Aug 30, 2012). The reason
for it is a new security issue discovered, that made exploitation
of some of our not yet addressed bugs possible to exploit
again.

So, if Gowdiak’s accusations are legitimate, it appears Java is
still insecure. Which is bad enough by itself – but made yet worse
by Oracle’s failure to acknowledge it.

Over on Ars Technica, Dan Goodin
reports
that the company responded to a request for comment by
directing him to
Thursday’s security advisory
, which was published before this
latest news broke (update: we recieved the same
response). Meanwhile, in the post’s comments thread, readers argued
over whether uninstalling Java was a necessary protective
measure.

So a week on, what has been achieved? Very little, it seems: Oracle
are still failing to engage with (understandably) worried users,
and browsing with Java installed is still potentially insecure. But
this time the situation is even worse, since convincing your
average user to download two updates within such a short space of
time will be a considerable challenge.

From our point of view, there are two measures Oracle needs to
take: bake an auto-updating security mechanism into Java, with
updates at least once a week; and just as importantly, be honest
and transparent about these issues – before the negative press
spills outside of the tech community bubble.

Author
Comments
comments powered by Disqus