Researchers discover second security bug in zero day Java exploit

By Peter Gothard
29 Aug 2012 View Comments
New Oracle building with logo

Details of further Java exploits are coming to light, while Oracle has still yet to release a fix for its customers.

Since Computing reported on Michael Schierl's research into the Java 7 exploit, Immunity Products' Esteban Guillardoy has submitted findings that suggest two separate security holes are driving the exploit.

Further reading

"The first bug was used to get a reference to the sun.awt.SunToolkit class, that is restricted to applets, while the second bug invokes the getField public static method on SunToolkit using reflection with a trusted immediate caller bypassing a security check," Guillardoy wrote on Immunity's blog.

As knowledge of the exploit, which affects all versions of Java 7, becomes greater and more widespread, the eyes of Java users will look to Oracle for a patch or fix before its next scheduled update on 16 October 2012.

An Oracle spokesperson today told Computing that there is no comment available at the moment on the security exploit. The spokesperson supplied a link to the Oracle Software Security Assurance Blog, which has not been updated since 10 August 2012, in response to the Security Alert CVE-2012-3132 Oracle Database Server exploit.

Oracle's post reminds users that "it is unfortunate when the technical details of a security vulnerability are disclosed before a fix could be made available, especially when the disruption resulting from having to deal with an unplanned patch, and the amount of time required by customers to apply the patch, may yield less of a security posture improvement than other security effort."

Security companies such as DeepEnd, however, argue that as Oracle continues to do nothing, the revelation of technical details – which allow action to be taken by security groups as well as hackers – are all that stand between the community and total vulnerability.

Reader comments
blog comments powered by Disqus
Windows 10 - will you upgrade?

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop. Will your business be upgrading?

0 %
100 %
0 %
0 %