New Java exploit details emerge as attacks escalate; no patch from Oracle yet

By Peter Gothard
28 Aug 2012 View Comments
Java logo

While java hacks are an almost weekly occurrence, a zero-day exploit discovered yesterday looks set to become unusually disruptive, as Oracle has so far offered no solution, and experts are  recommending users turn off Java off unless absolutely necessary.

Threat research company DeepEnd Research approached Java expert Michael Schierl for an in-depth analysis, which has confirmed that Internet Explorer, Mozilla Firefox and even Google Chrome – for a while considered immune – are all under threat from the exploit.

Further reading

The exploit affects all versions of Java 7, and with Oracle's next scheduled Java update not due until 16 October, fears are running high that the exploit will soon cause widespread problems in the wild.

DeepEnd Research said it decided to publish its research on the exploit after exploit groups such as Metasploit and Blackhole published proof that exploit packs were being built.

"We decided that witholding details of the exploit will not offer additional protection but only hinder development of protection and signatures," said DeepEnd.

Revelations from Schierl's research for DeepEnd include a method of abusing restricted package permissions which, said the software engineer, "is new to me", as well as the finding that the vulnerability seems to focus on a new, Java 7-specific class:  com.sun.beans.finder.ClassFinder. This apparently opens up restricted packages for untrusted code, and thus allows the use of GetField to access private fields.

It is being widely reported that the exploit can be carried out without any visible interruption of a browser's performance, making it even harder to pick up without specific security tools.

Once the exploit has taken control to this point, said Schierl, "no security manager is left, and the applet can do anything Java can".

Computing has contacted Oracle for comment, and is currently awaiting a response.

Reader comments
blog comments powered by Disqus
Windows 10 - will you upgrade?

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop. Will your business be upgrading?

36 %
31 %
13 %
20 %