Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Oracle reportedly knew of critical Java bugs under attack for 4 months

From: InfoSec News <alerts () infosecnews org>
Date: Thu, 30 Aug 2012 00:46:57 -0500 (CDT)
http://arstechnica.com/security/2012/08/critical-java-bugs-reported-4-months-ago/

By Dan Goodin
Ars Technica
Aug 29, 2012
Oracle engineers were briefed on critical vulnerabilities in the Java software framework more than four months before the flaws were exploited in malware attacks that take complete control of end-user computers, according to a published report.
Poland-based Security Explorations privately alerted Oracle to the bugs on April 2, IDG News reported on Wednesday. On Sunday, again—four months later, separate security researchers at FireEye reported targeted malware attacks that used the Oracle software to install the Poison Ivy backdoor trojan. The exploits were added to the popular BlackHole exploit kit on Monday evening, and have since snowballed. It can be found on more than a dozen separate websites, FireEye researcher Atif Mushtaq wrote in an update on Wednesday.
According to IDG News, two of the 19 vulnerabilities Security Explorations reported in April are those now under attack. By combining them, hackers are able to completely bypass security protections built into Java that are supposed to isolate Java applications from sensitive operating system functions. Neither of those were fixed during the most recent critical patch update for Java in June, although it did address three other issues the Polish firm reported. Oracle's next regular update isn't scheduled until the mid-October. The flawed Java components violate many of Oracle's own Secure Coding Guidelines for the Java Programming Language, Security Explorations said.
In an exploit analysis published on Tuesday, Immunity Inc. researcher Esteban Guillardoy wrote, "The first bug was used to get a reference to sun.awt.SunToolkit class that is restricted to applets while the second bug invokes the getField public static method on SunToolkit using reflection with a trusted immediate caller bypassing a security check. The beauty of this bug class is that it provides 100 percent reliability and is multiplatform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353)." 

[...]
Previous By Date Next
Previous By Thread Next

Current thread: