Oh No! Yet Another Java Vulnerability Discovered

Just when it was starting to look safe to go back into the Java again …

Some time ago I made the decision to ditch Java completely on my system. I had to find a few replacement apps, for instance for the popular file hosting downloader JDownloader or the RSS feed reader RSSOwl, but other than that, I did not really miss Java once I kicked it off the hard drive.

Recent news about Java vulnerabilities have strengthened my belief that this was a good decision after all. Over at Betanews I expressed the belief that most users do not need Java anymore, even though a lot have installed the software on their system.

Reports about a new Java vulnerability began to spread on the Internet when the Polish firm Security Explorations disclosed the vulnerability on Seclists.

We’ve recently discovered yet another security vulnerability affecting all latest versions of Oracle Java SE software. The impact of this issue is critical – we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7.

What makes this special is that it is affecting fully updated Java 5,6 and 7 installations. The security researchers were able to successfully exploit the vulnerability on a fully patched Windows 7 test system. All recent web browsers, including Firefox, Internet Explorer and Google Chrome, were exploited successfully. The researchers note that all operating systems running Java are affected by the vulnerability, not only Windows.

test java version

Oracle has been notified about the vulnerability, but it may take days or even weeks before an update becomes available. If you have installed Java installed on your system right now it is recommended to either uninstall it completely, if you do not rely on desktop or web applications that depend on Java, disable it for the time being, or at least use other mitigating factors such as NoScript for Firefox or click to play to block plugins from being run automatically.

Windows users can consider using Java portable on their system which does not need to be installed and therefor won’t install plugins into web browsers.

Link to Original Content

Tags: , , , , ,

Comments are closed.