News

Java flaw allows attackers to bypass sandbox defences

Warwick Ashford

Security researchers have discovered a new vulnerability in all supported versions of Oracle Java that enables attackers to bypass sandbox defences.

The vulnerability, which affects Java Standard Edition versions 5, 6 and 7, can be used to break out of the Java security sandbox, according to researchers at security firm Security Explorations.

This means a malicious Java applet or application could run unrestricted in a target Java process such as a web browser application. The malware can then enable an attacker to install software and view, change or delete data with the privileges of a logged-on user.

The discovery was announced on the Full Disclosure security mailing list, but technical details of the vulnerability remain under wraps, according to eWeek.

The Security Explorations researchers say finding the flaw and creating an exploit are moderately difficult. But Oracle has acknowledged the issue and plans to address the Java security vulnerability in an update.

Security Explorations said it had provided Oracle with a technical description of the Java security vulnerability, along with the source and binary codes of the Proof of Concept.

Exploits for Java flaws are commonly used in attack kits such as Black Hole, but security researchers say that is unlikely to happen in cases, such as this, that are reported privately.

In August, Oracle released an out-of-cycle security update to patch newly identified vulnerabilities in Java 7 that were being widely exploited.

The move came after researchers urged Oracle not to wait, with news that the Java security vulnerabilities were being used in targeted attacks and were available to users of the Metasploit tool and Blackhole exploit kit.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy