Jump to content
Tuts 4 You

Another critical Java vulnerability puts 1 billion users at risk

ghandi

By ghandi
in Malware Reverse Engineering

 Share

Recommended Posts

ghandi

ghandi

Posted
Posted

Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco, researchers from the Polish firm Security Explorations disclosed yet another critical Java vulnerability that might “spoil the taste of Larry Ellison's morning…Java.”

If you disabled Java when the last zero-day exploit was spotted in the wild, then you might consider doing so again . . . or dumping Java altogether? According to Security Explorations researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects “one billion users of Oracle Java SE software.”

Appalled to learn that Oracle/Java has another huge critical hole, I reached out to Adam Gowdiak in an email interview.

http://blogs.computerworld.com/malware-and-vulnerabilities/21056/another-critical-java-vulnerability-puts-1-billion-users-risk

--------------------------------------------------------------------------------------------------------------------------------------

Sounds just delightful.

HR,

Ghandi

Link to comment
Share on other sites
kao

kao

Posted
Posted

It's entirely possible that those guys found another problem in Java SE. However, the way they made their announcement is borderline retarded.

Guys at "full-disclosure" maillist summed it up nicely:

Re: [sE-2012-01] Critical security issue affecting Java SE 5/6/7

From: Chris Evans <scarybeasts () gmail com>

Date: Tue, 25 Sep 2012 16:30:37 -0700

> Hello All,

>

> We've recently discovered yet another security vulnerability

> affecting all latest versions of Oracle Java SE software. The

> impact of this issue is critical - we were able to successfully

> exploit it and achieve a complete Java security sandbox bypass

> in the environment of Java SE 5, 6 and 7. So far, we could only

> claim such an impact with reference to Java 7 environment (the

> Apple QuickTime attack relying on Issues 15 and 22 is the only

> exception here). Thus, this post.

I don't see any details?

This list is "full disclosure", not "touch self in public".

Cheers

Chris

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...