Java SE 5/6/7 critical security issue

2012-09-25 / 2013-01-12
Credit: Adam Gowdiak
Risk: High
Local: No
Remote: Yes

We've recently discovered yet another security vulnerability affecting all latest versions of Oracle Java SE software. The impact of this issue is critical - we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7. So far, we could only claim such an impact with reference to Java 7 environment (the Apple QuickTime attack relying on Issues 15 and 22 is the only exception here). Thus, this post. The newly discovered bug is special for several reasons. This is our "anniversary" finding (Issue number 50). We discovered it exclusively for JavaOne 2012 [1]. Finally, the bug allows to violate a fundamental security constraint of a Java Virtual Machine (type safety). The following Java SE versions were verified to be vulnerable: - Java SE 5 Update 22 (build 1.5.0_22-b03) - Java SE 6 Update 35 (build 1.6.0_35-b10) - Java SE 7 Update 7 (build 1.7.0_07-b10) All tests were successfully conducted in the environment of a fully patched Windows 7 32-bit system and with the following web browser applications: - Firefox 15.0.1 - Google Chrome 21.0.1180.89 - Internet Explorer 9.0.8112.16421 (update 9.0.10) - Opera 12.02 (build 1578) - Safari 5.1.7 (7534.57.2) To fulfill the Pro Bono mission of our SE-2012-01 project [2], we have provided Oracle corporation with a technical description of the issue found along with a source and binary codes of our Proof of Concept code demonstrating a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7. We hope that a news about one billion users of Oracle Java SE software [3] being vulnerable to yet another security flaw is not gonna spoil the taste of Larry Ellison's [4] morning...Java. Thank you. Best Regards, Adam Gowdiak --------------------------------------------- Security Explorations "We bring security research to the new level" --------------------------------------------- References: [1] Oracle Begins Final Preparations for JavaOne San Francisco 2012 and Announces Keynote Lineup [2] SE-2012-01 Security vulnerabilities in Java SE [3] Learn About Java Technology [4] Larry Ellison


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top