Friday, January 18, 2013

More Bad News For Java: Latest Java Update Broken New Bypass Flaws Found

Despite Oracle's recent attempts to patch Java reports surfaced earlier this week that the update was incomplete and didn't address all of the critical holes in the application. Today further reports suggest that the two new bypass flaws have been found and remain un-patched.

“We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11,” Java security researcher Adam Gowdiak of Security Explorations in Poland wrote a short while ago on the Full Disclosure mailing list.

Gowdiak said his organization reported two new flaws to Oracle today, along with working proof-of-concept code, a single exploit that relies on two vulnerabilities. He told Threatpost he would not share any details on the vulnerabilities, but said Oracle did confirm it had received the information he sent and had begun looking into the problem.

In the mean time I highly suggest that all Java users either remove the plug-in or disable it. The Windows control panel for Java makes it easy to disable the Java plugin giving you the option of keeping it installed and only enabling it as needed. Instructions on how to disable Java in Chrome, Firefox and Safari are also available from their respective companies.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you