Java 7 Update 11 Still has a Flaw

Published: 2013-01-19. Last Updated: 2013-01-19 22:27:27 UTC
by Guy Bruneau (Version: 1)
9 comment(s)

According to a posting yesterday by Adam Gowdiak of Security Explorations to Full Disclosure, Java 7 Update 11 (CVE-2013-0422) is still vulnerable as "[...] a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21)."[1]

The MBeanInstantiator bug hasn't yet been addressed. Yesterday, Security Exploration reported two more vulnerabilities to Oracle along with Proof of Concept code (issue 50 and 51) [3].

We received several comments from our readers after the patch was released [4], how many of you have followed CERT's advice to disable Java content in their web browsers after they updated to 7u11? Please take a minute to answer our poll, What is your main concern about Java?

[1] http://seclists.org/fulldisclosure/2013/Jan/142
[2] http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
[3] http://www.security-explorations.com/en/SE-2012-01-status.html
[4] https://isc.sans.edu/diary/Java+0-Day+patched+as+Java+7+U+11+released/14932
[5] http://www.kb.cert.org/vuls/id/625617
[6] http://www.java.com/en/download/help/disable_browser.xml

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

I will be teaching SEC 503 in Toronto this coming June

9 comment(s)

Comments

It's still produced by Oracle. Larry needs to get his head out of his yacht and exercise a little executive pressure for some infrastructure improvements so his brand doesn't go sink in the Pacific.
Java is not as critical as Flash so I completely remove the software from all my computers. I don’t see any difference in my user’s experience on my computers.
Thanks goodness there aren't many sites around anymore who build on Java applets (outside of corporate intranet environments).. that stuff has been superseded by Flash and HTML5 long ago, so disabling Java in the browser doesn't really hurt anymore. For applets from trusted sources, there's still the manual JNLP route open..
In Denmark, the country is completely open to malware. The digital ID we need for all comms with banking and public sector websites requires Java. So we can't disable it. And more and more 3rd party sites (including local eBay classifieds) uses it as well, as it gives a proven ID. So it might be required on a webpage with infected banners.

The digital ID only requires it for the user to enter username/password, then presents a challenge, and accepts a manually entered response from the 2-factor device. So basicly a simple HTML 0.9 FORM with POST.

I almost hope there will be targeted attacks against Denmark, such that the government can do away with the Java requirement. The banks (who has a backdoor to the backend) uses simple forms on their mobile solutions, so it should be easy to implement.
My experience (in the UK) is that I find Java applets are often needed in the browser for booking theatre and other tickets. It would seem that many of the common systems use java applets to provide the interface for selecting seats and the like. It is really annoying as it also prevents using an iPad for doing booking (and of course there are security implications as typically one is going on to supply payment details).
The full-disclosure posting reads a bit unclearly, but if I understood it correctly, the MBeanInstantiator bug has in fact now been fully patched - the failure to fully patch it that's being referred to was back in October, the first time Oracle took a crack at it.

Java 1.7.0_11 still has vulnerabilities, but they're newly discovered ones, and the exploit code is not in the wild.

That's if I understood the posting correctly...
df, see: http://immunityproducts.blogspot.com.ar/2013/01/confirmed-java-only-fixed-one-of-two.html

"The patch did stop the exploit, fixing one of its components. But an attacker with enough knowledge of the Java code base and the help of another zero day bug to replace the one fixed can easily continue compromising users."
It looks like whatever is parsing this page is using the ampersand & and the text after it as a substitution variable, B&D . SGML behaved like this. Another potential attack vector.
Yeah.. special characters (apostrophes, umlauts..) have bugged this comment form for quite a while now. Probably some over-zealous escaping.. (hey, you can never be TOO safe!).
I love the title of the diary.. "Java [...] still has _a_ flaw". I'm sure it still has a few hundred flaws, and with Oracle's fixing speed, we'll probably have a few years' worth of advisories and patching left. Replacing that broken tech is probably the only solution that is going to work in the long run.

Diary Archives