System compromise in Java
Experts of Security Explorations reported Oracle developers of two gap, allowing completely bypass sandbox restrictions Java.
According to the new notification researchers Security Explorations, the latest version of Java were discovered two new vulnerabilities that can completely bypass the restrictions built into the platform sandbox. Thus, according to the expert Adam Gowdiak, gaps affect current versions of Java 7 SE, in particular component Reflection API, which you can get around the limitations "in an interesting way."
Govdiak also said that he tested the original release of Java SE 7, Java SE 7 Update 11 and Java SE 7 Update 15. According to Security Explorations, Oracle developers have already received all the information and PoC-code, and pledged to take action.
Recall that recently appeared in the news media often associated with breaches in Java. Recently, unknown hackers managed to compromise the account of one of the administrators for developers iPhoneDevSDK. As a result of the incident, the templates web-site has been posted malicious JavaScript-code.
More detailed description of vulnerabilities
Danger level: High
Patch: None
Number of vulnerabilities: 2
Vector of operation: Remote
Impact: System Compromise
Affected Products: Oracle Java JDK 1.7.x / 7.x
Oracle Java JRE 1.7.x / 7.x
Affected versions:
Java SE 7 Update 11, perhaps the only one.
Java SE 7 Update 15 possibly other versions.
Description:
The vulnerability allows a remote user to execute arbitrary code on the target system.
1. The vulnerability is caused due to an unspecified error in the component Reflection API. This can be exploited to bypass sandbox restrictions and compromise a vulnerable system.
2. The vulnerability is caused due to an unspecified error in the component Reflection API. This can be exploited to bypass sandbox restrictions and compromise a vulnerable system.
Manufacturer: http://www.oracle.com/technetwork/java/javase/downloads/index.html
Solution: The way to eliminate the vulnerability does not exist at present.
Security Explorations Link: http://www.security-explorations.com/en/SE-2012-01-status.html
No comments:
Post a Comment