Blog archive

New Java Security Flaw Uncovered After Mega-Patch

Java is starting to look like a chubby guy in tight Dockers who can't sit down without splitting a seam (and yes, I analogize from experience). A week after Oracle released Java 7, Update 21, which included 42 vulnerability patches, news of a reflection API vulnerability in the newly shipped Java Runtime Environment (JRE) has emerged, as reported by veteran Java bug hunter Adam Gowdiak.

Gowdiak is CEO and founder of Security Explorations, a Poland-based security and vulnerability research company. He wrote about the security flaw on the "Full Disclosure" mailing list, a "lightly moderated high-traffic forum for disclosure of security information." (It's a great list whose contributors display a sense of humor in the face of some serious issues.)

The Java Reflection API is used to examine and modify the behavior of applications running in a Java Virtual Machine (JVM). The reflection API vulnerability affects all versions of Java SE 7, including Update 21, Gowdiak said, and can be used to achieve a complete Java security sandbox bypass on a target system. Successful exploitation in a Web browser would require "proper user interaction," he wrote -- in other words, the user has to click "yes" to allow a malicious app to execute even when a security warning window is displayed.

Gowdiak's post comes on the heels of Oracle's recent announcement that delays in the release of Java 8 are the result of the company shifting significant material resources to work on Java security vulnerabilities.

In January, Oracle's senior product security manager, Milton Smith, told Java User Group (JUG) leaders during a conference call that the company's chief area of concern was Java plugins running applets on the browser. ""A lot of the attacks that we've seen, and the security fixes that apply to them, have been [about] Java in the browser," he said. "It's the biggest target now."

And yet Gowdiak said the new issue he found is present not only in the JRE Plugin/JDK software, but also the Server JRE. He says he sent a report to Oracle "signaling multiple security problems in Java SE 7 and the Reflection API in particular," along with proof-of-concept code, in Apr 2012.

"It's been a year since then and to our true surprise," we were still able to discover one of the simplest and most powerful instances of Java Reflection API based vulnerabilities," he wrote. "It looks [as though] Oracle was primarily focused on hunting down potentially dangerous Reflection API calls in the 'allowed' classes space. If so, no surprise that Issue 61 was overlooked."

Posted by John K. Waters on April 24, 2013