Pierluigi Paganini February 26, 2013

Java, Java and once again Java, the popular framework and its vulnerabilities are becoming a really nightmare for security experts, billion of users and their machines are exposed to a series of attacks that try to exploit flaws in the Oracle software.

Security worldwide community attributes to the Java vulnerabilities the principal responsibilities for recent attacks against IT giants such as Microsoft, Facebook and Apple, but just while all discussing about the repercussion for the presence of 0-days vulnerabilities in the popular software a Polish security firm Security Explorations reported two new Java zero-day vulnerabilities, dubbed “issue 54” and “issue 55,”. Immediately the experts of Security Explorations have provided to Oracle proof of concept on what could be a new disaster for Java under security perspective.

Oracle’s security team has immediately started the necessary verifications, but there are many concerns related the possible presence of security flaws that could allow attackers to bypass Java’s security sandbox compromising target machine making possible the download of malicious code.

Recent incidents have demonstrated that hackers simply compromising a legitimate website with malicious code could exploit Java vulnerabilities in victim’s browser and infect the host.

Softpedia posted an article that reports declaration of Security Explorations CEO Adam Gowdiak:

“Both new issues are specific to Java SE 7 only. They allow to abuse the Reflection API in a particularly interesting way… Without going into further details, everything indicates that the ball is in Oracle’s court. Again.”

If the vulnerabilities will be confirmed Oracle will have to release a new patch as soon as possible to avoid further serious incidents, meantime it is strongly suggested to users to disable Java plugin for their browsers if it is not strictly necessary.

Pierluigi Paganini