Another critical Java vulnerability puts 1 billion users at risk

[ghandi]

Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco, researchers from the Polish firm Security Explorations disclosed yet another critical Java vulnerability that might “spoil the taste of Larry Ellison's morning…Java.”

If you disabled Java when the last zero-day exploit was spotted in the wild, then you might consider doing so again . . . or dumping Java altogether? According to Security Explorations researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects “one billion users of Oracle Java SE software.”

Appalled to learn that Oracle/Java has another huge critical hole, I reached out to Adam Gowdiak in an email interview.

http://blogs.computerworld.com/malware-and-vulnerabilities/21056/another-critical-java-vulnerability-puts-1-billion-users-risk

--------------------------------------------------------------------------------------------------------------------------------------

Sounds just delightful.

HR,

Ghandi

[kao]

It's entirely possible that those guys found another problem in Java SE. However, the way they made their announcement is borderline retarded.

Guys at "full-disclosure" maillist summed it up nicely:

Re: [sE-2012-01] Critical security issue affecting Java SE 5/6/7

From: Chris Evans <scarybeasts () gmail com>

Date: Tue, 25 Sep 2012 16:30:37 -0700

> Hello All,

>

> We've recently discovered yet another security vulnerability

> affecting all latest versions of Oracle Java SE software. The

> impact of this issue is critical - we were able to successfully

> exploit it and achieve a complete Java security sandbox bypass

> in the environment of Java SE 5, 6 and 7. So far, we could only

> claim such an impact with reference to Java 7 environment (the

> Apple QuickTime attack relying on Issues 15 and 22 is the only

> exception here). Thus, this post.

I don't see any details?

This list is "full disclosure", not "touch self in public".

Cheers

Chris