Two more zero-day Java bugs discovered
Polish researchers find more flaws in Java 7 browser plug-in.
Java has been hit by the discovery of two more vulnerabilities. Polish security firm Security Explorations has reported the bugs to Oracle.
The security company said that it had submitted information about the bugs, including proof-of-concept exploits to Oracle.
"We had yet another look into Oracle's Java SE 7 software that was released by the company on Feb. 19," said Adam Gowdiak, in a posting to security forum, Seclists.org. "As a result, we have discovered two new security issues, which when combined together, can be successfully used to gain a complete Java security sandbox bypass in the environment of Java SE 7 Update 15 (1.7.0_15-b03)."
Gowdiak said that both new issues are specific to Java SE 7 only. "They allow toabuse the Reflection API in a particularly interesting way," he added.
"Without going into further details, everything indicates that a ball is in Oracle's court. Again."
The flaws do not affect Java 6, which Oracle has officially retired from support.
Gowdiak said in an update to the posting that Oracle has provided his firm results of its analysis and said that while one flaw had been confirmed as an issue, the other, dubbed "Issue 54" was "not treated as a vulnerability as it demonstrates the 'allowed behavior'".
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Gowdiak said he disagreed with Oracle's assessment of Issue 54.
"There is a mirror case corresponding to Issue 54 that leads to access denied condition and a security exception," he said. "That alone seems to be enough to contradict the "allowed behavior" claim by the company (is it possible to claim a non-security vulnerability when access is denied for a public API, but allowed for some private code path?)."
He warned Oracle that if it stuck with its original assessment, his company would have "no choice than to publish details of Issue 54".
The vulnerabilities are the latest in a slew of problems affecting the code. Twice this year Oracle has had to rush out emergency out-of-band patches to fix flaws in Java.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.