Java flaw allows attackers to bypass sandbox defences

Security researchers have discovered a vulnerability in all supported versions of Oracle Java allowing attackers to bypass sandbox defences

Security researchers have discovered a new vulnerability in all supported versions of Oracle Java that enables attackers to bypass sandbox defences.

The vulnerability, which affects Java Standard Edition versions 5, 6 and 7, can be used to break out of the Java security sandbox, according to researchers at security firm Security Explorations.

This means a malicious Java applet or application could run unrestricted in a target Java process such as a web browser application. The malware can then enable an attacker to install software and view, change or delete data with the privileges of a logged-on user.

The discovery was announced on the Full Disclosure security mailing list, but technical details of the vulnerability remain under wraps, according to eWeek.

The Security Explorations researchers say finding the flaw and creating an exploit are moderately difficult. But Oracle has acknowledged the issue and plans to address the Java security vulnerability in an update.

Security Explorations said it had provided Oracle with a technical description of the Java security vulnerability, along with the source and binary codes of the Proof of Concept.

Exploits for Java flaws are commonly used in attack kits such as Black Hole, but security researchers say that is unlikely to happen in cases, such as this, that are reported privately.

In August, Oracle released an out-of-cycle security update to patch newly identified vulnerabilities in Java 7 that were being widely exploited.

The move came after researchers urged Oracle not to wait, with news that the Java security vulnerabilities were being used in targeted attacks and were available to users of the Metasploit tool and Blackhole exploit kit.

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.