Researchers find critical vulnerability in Java 7 patch hours after release The new vulnerability allows a complete Java Virtual Machine sandbox escape in Java 7 Update 7, researchers from Security Explorations say

Security researchers from Poland-based security firm Security Explorations claim to have discovered a vulnerability in the Java 7 security update released Thursday that can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system.

Security Explorations sent a report about the vulnerability to Oracle on Friday together with a proof-of-concept exploit, Adam Gowdiak, the security company's founder and CEO said Friday via email.

The company doesn't plan to release any technical details about the vulnerability publicly until Oracle addresses it, Gowdiak said.

Oracle broke out of its regular four-month patching cycle on Thursday to release Java 7 Update 7, an emergency security update that addressed three vulnerabilities, including two that were being exploited by attackers to infect computers with malware since last week.

Java 7 Update 7 also patched a "security-in-depth issue" which, according to Oracle, was not directly exploitable, but could have been used to aggravate the impact of other vulnerabilities.

The patching of that "security-in-depth issue," which Gowdiak calls an "exploitation vector," rendered all of the proof-of-concept (PoC) Java Virtual Machine (JVM) security bypass exploits previously submitted by the Polish security firm to Oracle, ineffective.

According to Gowdiak, Security Explorations privately reported 29 vulnerabilities in Java 7 to Oracle back in April, including the two that are now actively exploited by attackers.

The reports were accompanied by a total of 16 proof-of-concept exploits that combined those vulnerabilities to fully bypass the Java sandbox and execute arbitrary code on the underlying system.

The removal of the getField and getMethod methods from the implementation of the sun.awt.SunToolkit class in Java 7 Update 7 disabled all of Security Explorations' PoC exploits, Gowdiak said.

However, this only happened because the "exploitation vector" was removed, not because all vulnerabilities targeted by the exploits were patched, Gowdiak said.

The new vulnerability discovered by Security Explorations in Java 7 Update 7 can be combined with some of the vulnerabilities left unpatched by Oracle to achieve a full JVM sandbox bypass again.

"Once we found that our complete Java sandbox bypass codes stopped working after the update was applied, we looked again at POC codes and started to think about the possible ways of how to fully break the latest Java update again," Gowdiak said. "A new idea came, it was verified and it turned out that this was it."

Gowdiak doesn't know when Oracle plans to address the remaining vulnerabilities reported by Security Explorations in April or the new one submitted by the security company on Friday.

It's not clear if Oracle will release a new Java security update in October as it previously planned. Oracle declined to comment.


Security researchers have always warned that if vendors take too much time to address a reported vulnerability it might be discovered by the bad guys in the meantime, if they don't already know about it.

It happened on multiple occasions for different bug hunters to discover the same vulnerability in the same product independently and this is what might have also happened in the case of the two actively exploited Java vulnerabilities that were addressed by Java 7 Update 7.

"Independent discoveries can never be excluded," Gowdiak said. "This specific issue [the new vulnerability] might be however a little bit more difficult to find."

Based on the experience of Security Explorations researchers with hunting for Java vulnerabilities so far, Java 6 has better security than Java 7. "Java 7 was surprisingly much easier for us to break," Gowdiak said. "For Java 6, we didn't manage to achieve a full sandbox compromise, except for the issue discovered in Apple Quicktime for Java software."

Gowdiak has echoed what many security researchers have said before: If you don't need Java, uninstall it from your system.

Another case of Apple knows best..

It seems Apple knows what is best for you including the information you view or read. With their complete control over the products you purchase and "own" it is up to them what you can or can't do on their device. This is not anything new but simply a reminder of who really owns your computer experience. As we go forward those controls continue to get is the latest "Apple knows best" regarding application denial. Is this CENSORSHIP?

An iOS app developed to heighten awareness of the US drone war has been rejected by Apple for the third time – just three weeks after the Electronic Frontier Foundation warned that a proposed new US bill “would have broad consequences for press freedom and the public’s right to know.”

The EFF is concerned about provisions in the annual Intelligence Authorization Act that are designed to stop leaks of classified information to news reporters. EFF specifically mentions the new book by Daniel Klaidman, Kill or Capture: The War on Terror and the Soul of the Obama Presidency and its discussion on drone strikes. Yet because information is “hidden behind giant walls of secrecy, there is no oversight or accountability, and the public has no say in the decision as to whether the country should be engaging in them at all.”

Josh Begley, a New Yorker, sought to lift that veil of secrecy, not by leaking classified information but by making access to published information more effective. His app draws its source data from the freely available database compiled by The Bureau of Investigative Journalism, a not-for-profit organization based at City University in London.

The app, Drones+ (there’s a brief Vimeo video here) simply lists information about drone strikes and provides a map that shows where they occurred. It is purely factual and contains no graphics beyond the map. Nevertheless, it has now been rejected by Apple’s reviewers three times in the last month. The first rejection was apparently because it isn’t “useful or entertaining enough.” The second rejection had an issue over a logo. And the latest rejection is because Apple finds the content “objectionable and crude.”

Buster Heine in Cult of Mac comments, “We don’t see anything objectionable about the app, but apparently Apple does. What’s also concerning is that it took three rejections before Begley found out that Apple just didn’t like the content.”

Whether the timing of these rejections and the Senate deliberations on preventing leaks is anything other than co-incidence will probably never be known. Nevertheless, critics of Apple’s restrictive approach to its walled garden have long claimed that it presents a danger to free speech. Drones+ would seem to confirm that.


Unfortunately this is TRUE CENSORSHIP and only the tip of an iceberg.

Wolfram Alpha Facebook Tool Reveals How Many Of Your Friends Are Single (And More News You Can Use)

Wolfram Alpha, the geniuses who brought you the sophisticated "knowledge engine" and taught Siri practically everything she knows, have bestowed upon the world a new online activity even more narcissistic than Googling yourself: running analytics on your Facebook account.

Wolfram Alpha's "Facebook report" puts personal analytics within everyone's reach and lets users actually benefit from the big data they've passed over to the social network. Plus, it's a whole lot of fun.

The things I learned from my "Facebook report," which I generated by entering "Facebook report" into the Wolfram Alpha site and giving it access to my Facebook profile, include:

  • How many of my friends are single, engaged, hitched, in a relationship or "other"
  • Which of my friends actually care enough to "like" or comment on my posts (Jason, Craig, you two are the best. Quite literally.)
  • The friends of mine with whom I share the most mutual friends (a list dominated by my closest friends and college acquaintances most likely to become politicians )
  • The frequency with which certain words appeared in my Facebook posts (I apparently use "Facebook," "new" and "know" quite a bit)
  • The post of mine that received the most "likes" and the most comments
    • The average length of my posts (perhaps I've been trained by Twitter to think in short bursts: my average Facebook post as 103 characters.)
    • The percent of male vs. female friends I have
  • How frequently I shared different types of information with Facebook over the past two years (photos vs. status updates vs. links) and how it varies over the average week

And much, much more. As Stephen Wolfram, who helped pioneer Wolfram Alpha's "knowledge engine," notes, "When you type 'facebook report', Wolfram Alpha generates a pretty seriously long report -- almost a small book about you, with more than a dozen major chapters, broken into more than 60 sections, with all sorts of drill-downs, alternate views, etc." (Wolfram's blog post introducing the feature includes a subtle dig at the social network: "I have to admit that I’m not a very diligent user of Facebook (mostly because I have too many other things to do). But I’ve got lots of Facebook friends (most of whom, sadly, I don’t know in real life)."


Try the tool for yourself here.

Investigating FinSpy: when surveillance spyware gets in the wrong hands

Surveillance software is an extremely powerful tool for criminal investigations, giving government and law enforcement agencies a method to efficiently and quietly locate lawbreakers without a leaving a trace. But just as any proper spy movie has taught us, the same software can be used to acquire information from innocent people for less honorable purposes. The New York Times recently spoke with Morgan Marquis-Boire, a Google engineer, and Bill Marczak, who is working on earning a PhD in computer science, about their own investigation into software known as FinSpy, a legal spyware tool intended for use by governments to monitor criminals.

What the two found is a worst-case scenario for individuals concerned with freedom and the protection of their personal information. In their analysis, they discovered that FinSpy had been used to track and deliver malware to Bahraini political activists, even those with no criminal records. And it didn't stop there, Marquis-Boire and Marczak's reports — which are available for public viewing — identify additional countries that used the software for similar reasons. Head over to the Times to see what else Marquis-Boire and Marczak have discovered in the last four months, what the Electronic Frontier Foundation has to say about it, and how Amazon's EC2 cloud service may have played a role in the ordeal.

Java Zero Day Flaw Under Attack

A zero-day vulnerability in Java is being actively exploited in the wild. The current attacks seem to be targeted, but security experts warn that more widespread attacks could be imminent.

Next to Adobe Reader and Adobe Flash, Java is probably one of the most ubiquitous and widely used applications. Unfortunately, it also provides attackers with plenty of holes and vulnerabilities to exploit, which makes it a popular target.

Proof-of-concept (PoC) code has been developed for the Metasploit Framework tool. Wolfgang Kandek, CTO of Qualys, explains that this is concerning because it makes the exploit available to a much wider audience, and probably means more attacks targeting the Java vulnerability are on the horizon.

Andrew Storms, director of security operations for nCircle, is concerned that it could be a while before a patch or update is released to resolve the vulnerability and guard against these attacks. “Oracle isn’t known for releasing patches out of cycle and the next scheduled update for Java isn't until October. Part of the problem is that Java is so ubiquitous that it tends to be overlooked as a ‘small’ piece of software.”

Kandek warns that until a patch is released, the only real defense users can employ is to limit the use of Java or uninstall it altogether. Uninstalling it may be a tad extreme, though. There are options within the Java security controls to restrict its use to well-known websites that are less likely to harbor malicious exploits.

Right now, it seems that only the newer version of Java—v7—is vulnerable to the zero-day. Java 1.6 might be safe, although it’s not entirely clear at this time. The current attacks are aimed at Java 7 on Windows, but the Metasploit Framework PoC exploit also works on Mac OS X so Apple users should be on guard as well.

Thankfully, following the last Java exploit debacle, Apple implemented a proactive system that disables Java if it’s not actively used over the previous 35 days. So, Mac OS X users who infrequently or rarely use Java should already have the software disabled and not have to worry.

If you’re not sure whether your Java is enabled or disabled in Mac OS X, there’s a way to find out. Kandek says, “Mac users can check on the state of Java by using the Java Preferences program, which allows the user to disable the connection between Java and the browser by unchecking the "On" field.”

Storms takes issue with Oracle’s lack of disclosure and transparency when it comes to threats like this. “Oracle really should take a page out of Microsoft’s security response book and start communicating with users about security issues.”

Storms sums up, “Until then, the only recourse for users is to disable Java in all Web browsers to protect against drive-by attacks.”

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

The simple answer is ‘no, nor should they’. But that requires some context. It is fair to say that the original anti-virus companies are slowly attempting to rebrand themselves as security companies. This is because they have added additional capabilities to their products to the extent that they are now better classified as security suites rather than just anti-virus. Nevertheless, the original branding remains strong: an anti-virus product is designed to stop viruses. But if that is the case, anti-virus cannot protect against a vulnerability since a vulnerability is not a virus and cannot be stopped

Rik Ferguson, EMEA director of security research & communications at Trend Micro (whose layered security product performed very well in the test), described it like this. “A vulnerability is like leaving your front door open,” he told Infosecurity. “But that doesn’t mean you’ve been exploited – although an infection might subsequently be carried into your living room through the open door.” In this analogy, the purpose of anti-virus is to detect the virus trying to get in through the vulnerability. The solution to an open door is to close it; anti-virus attempts to provide a temporary partial solution by preventing things coming through it while it is still open.

Panda Security senior research advisor Pedro Bustamante puts it more bluntly. “It is not the job of anti-virus to protect against unpatched software vulnerabilities unless malicious code is detected.” That doesn’t mean that the wider, layered security of what used to be known as the anti-virus industry cannot be effective against vulnerabilities – only that anti-virus per se is not concerned with vulnerabilities. But the NSS report asks if AV products protect against vulnerabilities – they cannot, although the wider endpoint security suites will be more effective.

Any ability for the AV industry to protect against vulnerabilities will also depend upon the relationship between the vendor of the vulnerable software and the AV company. “Microsoft is pretty good these days at advising security companies about MS-specific vulnerabilities,” ESET senior research fellow David Harley told Infosecurity, but other companies are not. “I don't see most AV scanners competing on a level playing field with dedicated vulnerability scanners,” he added.

And this is the problem. Unless the security suite includes a specific vulnerability scanner, it should not be expected to be good at protecting against vulnerabilities. But by saying that the report analyzes AV products, and finds many wanting, the report implies that anti-virus itself is not delivering.

However, one thing is agreed by all: timely patching is always the best solution against vulnerabilities since they close the vulnerability door; and without the vulnerabilities, there is no malware. The solution, said Bustamante, is “ensuring software is fully up to date – along with security software, user behaviour and the other layers of security. This is the best way to mitigate risk.”

“Patching (and pre-patching remediation where advised by the provider) is still the first line of defense – though using a vulnerability scanner is also worth considering, certainly in an organizational context,” added Harley.

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed


US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles