Two more zero-day Java bugs discovered

News 28 Feb, 2013

Polish researchers find more flaws in Java 7 browser plug-in.

Java has been hit by the discovery of two more vulnerabilities. Polish security firm Security Explorations has reported the bugs to Oracle.

The security company said that it had submitted information about the bugs, including proof-of-concept exploits to Oracle.

"We had yet another look into Oracle's Java SE 7 software that was released by the company on Feb. 19," said Adam Gowdiak, in a posting to security forum, Seclists.org. "As a result, we have discovered two new security issues, which when combined together, can be successfully used to gain a complete Java security sandbox bypass in the environment of Java SE 7 Update 15 (1.7.0_15-b03)."

Gowdiak said that both new issues are specific to Java SE 7 only. "They allow to
abuse the Reflection API in a particularly interesting way," he added.

"Without going into further details, everything indicates that a ball is in Oracle's court. Again."

The flaws do not affect Java 6, which Oracle has officially retired from support.

Gowdiak said in an update to the posting that Oracle has provided his firm results of its analysis and said that while one flaw had been confirmed as an issue, the other, dubbed "Issue 54"  was "not treated as a vulnerability as it demonstrates the 'allowed behavior'".

Gowdiak said he disagreed with Oracle's assessment of Issue 54.

"There is a mirror case corresponding to Issue 54 that leads to access denied condition and a security exception," he said. "That alone seems to be enough to contradict the "allowed behavior" claim by the company (is it possible to claim a non-security vulnerability when access is denied for a public API, but allowed for some private code path?)."

He warned Oracle that if it stuck with its original assessment, his company would have "no choice than to publish details of Issue 54".

The vulnerabilities are the latest in a slew of problems affecting the code. Twice this year Oracle has had to rush out emergency out-of-band patches to fix flaws in Java.