Oracle has had a busy 2013 so far as it has scrambled to fix dangerous zero-day exploits found in its Java browser plugin. The company will have no rest, however, as security researchers have found more exploits.
Security research firm Security Explorations reported two new zero day exploits hit Java on February 25. Since then, the company has provided a number of updates on the progress its made with Oracle to patch these security holes:
Vulnerability Notice along with a Proof of Concept code are sent to Oracle corporation (Issues 54 and 55).
Oracle confirms successful reception and decryption of the vulnerability report. The company informs that it will investigate based on the data provided and get back to us soon.
Oracle provides a monthly status report for the reported issues. The company informs that Issue 51 is under investigation / being fixed in main codeline. The report does not mention Issues 54 and 55 yet.
Oracle provides tracking numbers for Issues 54 and 55, but claims they are still not confirmed.
Security Explorations asks Oracle whether it needs any assistance in running the received Proof of Concept Code or whether a confirmation of reported vulnerabilities from a 3rd party such as US-CERT would be helpful for the company. Security Explorations informs Oracle that it expects a clear confirmation or denial of Issues 54 and 55 (in the past, reception of tracking numbers from Oracle was equivalent to the confirmation of a given report).
Oracle provides the results of its assessment and informs that Issue 54 is not a vulnerability (it demonstrates the “allowed behavior”). The company confirms Issue 55.
Security Explorations disagrees with Oracle’s assessment regarding Issue 54 and provides the company with its arguments. Security Explorations demonstrates to Oracle a corresponding sample of “allowed behavior” of Issue 54 that leads to a denied access and a security exception.
Security Explorations provides Oracle with another example illustrating denied access for a similar condition as Issue 54. The company asks Oracle whether it still considers Issue 54 as a non-vulnerability demonstrating the “allowed behavior”.
The issues referenced above – 54 and 55 – can apparently be combined to “gain a complete Java security bypass in the environment of Java SE 7 (Update 15).” Issue 54 is being labeled by Oracle as a non-issue, but issue 55 has been picked up for further investigation.
This latest discovery only further stains Java’s reputation as it has not only been exploited twice in the past two months, but said exploits led to major firms like Apple and Facebook being hacked. Granted, Oracle can’t predict every new exploit that comes its way, but you would think it would be more thorough before releasing updates.
So, what can you do to prevent any Java-based attacks? It’s rather simple really – just disable Java. Firefox automatically disables it for you, and it’s