Another exploit found in latest Java security patch
Friday’s emergency update can still be bypassed, and Oracle’s reaction doesn’t inspire confidence.
back end of last week, Oracle finally caved to days of increasingly
negative press over the security holes in Java SE, releasing an
emergency patch intended to fix all outstanding issues. While
hardly making up for months of ignoring security researchers’
warnings, it at least silenced critics (like
us) worrying that it would be neglected until the next security
update, scheduled for October.
Unfortunately, it appears that even this hasn’t been enough. Adam Gowdiak of Security Explorations, who last week revealed that Oracle had failed to act on known exploits since April, delivered another blow to the company by revealing on the Bugtraq mailing list that “not all security issues that were reported in Apr 2012 got addressed by the recent Java update”.
Today we sent a security vulnerability report along with a Proof of Concept code to Oracle. The code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012). The reason for it is a new security issue discovered, that made exploitation of some of our not yet addressed bugs possible to exploit again.
So, if Gowdiak’s accusations are legitimate, it appears Java is still insecure. Which is bad enough by itself – but made yet worse by Oracle’s failure to acknowledge it.
Over on Ars Technica, Dan Goodin
reports that the company responded to a request for comment by
directing him to
Thursday’s security advisory, which was published before this
latest news broke (update: we recieved the same
response). Meanwhile, in the post’s comments thread, readers argued
over whether uninstalling Java was a necessary protective
So a week on, what has been achieved? Very little, it seems: Oracle are still failing to engage with (understandably) worried users, and browsing with Java installed is still potentially insecure. But this time the situation is even worse, since convincing your average user to download two updates within such a short space of time will be a considerable challenge.
From our point of view, there are two measures Oracle needs to take: bake an auto-updating security mechanism into Java, with updates at least once a week; and just as importantly, be honest and transparent about these issues – before the negative press spills outside of the tech community bubble.