We've recently discovered yet another security vulnerability
affecting all latest versions of Oracle Java SE software. The
impact of this issue is critical - we were able to successfully
exploit it and achieve a complete Java security sandbox bypass
in the environment of Java SE 5, 6 and 7. So far, we could only
claim such an impact with reference to Java 7 environment (the
Apple QuickTime attack relying on Issues 15 and 22 is the only
exception here). Thus, this post.
The newly discovered bug is special for several reasons. This
is our "anniversary" finding (Issue number 50). We discovered
it exclusively for JavaOne 2012 [1]. Finally, the bug allows
to violate a fundamental security constraint of a Java Virtual
Machine (type safety).
The following Java SE versions were verified to be vulnerable:
- Java SE 5 Update 22 (build 1.5.0_22-b03)
- Java SE 6 Update 35 (build 1.6.0_35-b10)
- Java SE 7 Update 7 (build 1.7.0_07-b10)
All tests were successfully conducted in the environment of a
fully patched Windows 7 32-bit system and with the following
web browser applications:
- Firefox 15.0.1
- Google Chrome 21.0.1180.89
- Internet Explorer 9.0.8112.16421 (update 9.0.10)
- Opera 12.02 (build 1578)
- Safari 5.1.7 (7534.57.2)
To fulfill the Pro Bono mission of our SE-2012-01 project [2],
we have provided Oracle corporation with a technical description
of the issue found along with a source and binary codes of our
Proof of Concept code demonstrating a complete Java security
sandbox bypass in the environment of Java SE 5, 6 and 7.
We hope that a news about one billion users of Oracle Java SE
software [3] being vulnerable to yet another security flaw is not
gonna spoil the taste of Larry Ellison's [4] morning...Java.
Thank you.
Best Regards,
Adam Gowdiak
---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------
References:
[1] Oracle Begins Final Preparations for JavaOne San Francisco 2012
and Announces Keynote Lineup
http://www.oracle.com/us/corporate/press/1843546
[2] SE-2012-01 Security vulnerabilities in Java SE
http://www.security-explorations.com/en/SE-2012-01.html
[3] Learn About Java Technology
http://java.com/en/about/
[4] Larry Ellison
http://www.forbes.com/profile/larry-ellison/