Full Disclosure mailing list archives
[SE-2012-01] Critical security issue affecting Java SE 5/6/7
From: Security Explorations <contact () security-explorations com>
Date: Tue, 25 Sep 2012 10:47:17 +0200
Hello All, We've recently discovered yet another security vulnerability affecting all latest versions of Oracle Java SE software. The impact of this issue is critical - we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7. So far, we could only claim such an impact with reference to Java 7 environment (the Apple QuickTime attack relying on Issues 15 and 22 is the only exception here). Thus, this post. The newly discovered bug is special for several reasons. This is our "anniversary" finding (Issue number 50). We discovered it exclusively for JavaOne 2012 [1]. Finally, the bug allows to violate a fundamental security constraint of a Java Virtual Machine (type safety). The following Java SE versions were verified to be vulnerable: - Java SE 5 Update 22 (build 1.5.0_22-b03) - Java SE 6 Update 35 (build 1.6.0_35-b10) - Java SE 7 Update 7 (build 1.7.0_07-b10) All tests were successfully conducted in the environment of a fully patched Windows 7 32-bit system and with the following web browser applications: - Firefox 15.0.1 - Google Chrome 21.0.1180.89 - Internet Explorer 9.0.8112.16421 (update 9.0.10) - Opera 12.02 (build 1578) - Safari 5.1.7 (7534.57.2) To fulfill the Pro Bono mission of our SE-2012-01 project [2], we have provided Oracle corporation with a technical description of the issue found along with a source and binary codes of our Proof of Concept code demonstrating a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7. We hope that a news about one billion users of Oracle Java SE software [3] being vulnerable to yet another security flaw is not gonna spoil the taste of Larry Ellison's [4] morning...Java. Thank you. Best Regards, Adam Gowdiak --------------------------------------------- Security Explorations http://www.security-explorations.com "We bring security research to the new level" --------------------------------------------- References: [1] Oracle Begins Final Preparations for JavaOne San Francisco 2012 and Announces Keynote Lineup http://www.oracle.com/us/corporate/press/1843546 [2] SE-2012-01 Security vulnerabilities in Java SE http://www.security-explorations.com/en/SE-2012-01.html [3] Learn About Java Technology http://java.com/en/about/ [4] Larry Ellison http://www.forbes.com/profile/larry-ellison/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [SE-2012-01] Critical security issue affecting Java SE 5/6/7 Security Explorations (Sep 25)
- Re: [SE-2012-01] Critical security issue affecting Java SE 5/6/7 Chris Evans (Sep 25)
- Re: [SE-2012-01] Critical security issue affecting Java SE 5/6/7 Security Explorations (Sep 26)
- Re: [SE-2012-01] Critical security issue affecting Java SE 5/6/7 Chris Evans (Sep 25)