Polish computer security research firm Security Explorations have detailed a new critical Java vulnerability. According to Security Explorations researcher Adam Gowdiak, the newly discovered Java exploit affects “one billion users of Oracle Java SE software.” He added that via a malicious Java app “An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user.”
Writing on the Full Disclosure mailing list Mr Gowdiak says that the newly found Java flaw affects “all latest versions of Oracle Java SE software”. Whereas August’s previous critical exploit affected only version 7 of the software the new vulnerability allows “a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7”. The security tests were done on a fully patched Windows 7 system and using up to date browsers including; Firefox 15.0.1, Google Chrome 21.0.1180.89, Internet Explorer 9.0.8112.16421 (update 9.0.10), Opera 12.02 (build 1578) and Safari 5.1.7 (7534.57.2). Java isn’t of course limited to Windows platforms so other computer platform users will need to also be aware of this vulnerability.
Darlene Storm, writing on the oddly named Security is Sexy blog at ComputerWorld, interviewed Mr Gowdiak about the new critical vulnerability discovery. He told her that “A malicious Java applet or application exploiting this new issue could run unrestricted in the context of a target Java process such as a web browser application. An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user.” Ms Storm asked Mr Gowdiak “What security advice do you have for the one billion Java users at risk?” To which Mr Gowdiak replied “Taking into account the risk posed by the bug uncovered, it is the best to disable Java Plugin in the web browser and wait for the patches from Oracle. There are still 3 weeks till the scheduled Java Oct CPU [Critical Patch Update], so it might be possible that the bug will be addressed by the company on 16 Oct 2012.”
As yet there are no reports of this flaw being found in malware exploits according to c|net. If you are unsure whether you need Java or not it is advised you disable or uninstall it to see if any of your essential web apps depend upon it. For me the only page I ever visit requiring Java is the ADVFN live stock monitor, which I can live without because there are alternatives.