New Java exploit details emerge as attacks escalate; no patch from Oracle yet

While java hacks are an almost weekly occurrence, a zero-day exploit discovered yesterday looks set to become unusually disruptive, as Oracle has so far offered no solution, and experts are  recommending users turn off Java off unless absolutely necessary.

Threat research company DeepEnd Research approached Java expert Michael Schierl for an in-depth analysis, which has confirmed that Internet Explorer, Mozilla Firefox and even Google Chrome – for a while considered immune – are all under threat from the exploit.

The exploit affects all versions of Java 7, and with Oracle's next scheduled Java update not due until 16 October, fears are running high that the exploit will soon cause widespread problems in the wild.

DeepEnd Research said it decided to publish its research on the exploit after exploit groups such as Metasploit and Blackhole published proof that exploit packs were being built.

"We decided that witholding details of the exploit will not offer additional protection but only hinder development of protection and signatures," said DeepEnd.

Revelations from Schierl's research for DeepEnd include a method of abusing restricted package permissions which, said the software engineer, "is new to me", as well as the finding that the vulnerability seems to focus on a new, Java 7-specific class:  com.sun.beans.finder.ClassFinder. This apparently opens up restricted packages for untrusted code, and thus allows the use of GetField to access private fields.

It is being widely reported that the exploit can be carried out without any visible interruption of a browser's performance, making it even harder to pick up without specific security tools.

Once the exploit has taken control to this point, said Schierl, "no security manager is left, and the applet can do anything Java can".

Computing has contacted Oracle for comment, and is currently awaiting a response.