Two New Vulnerabilities Discovered In Latest Version Of Java

Researchers from Security-Explorations.com have today notified Oracle of another serious security issue with Java 7. Two vulnerabilities, dubbed “issue 54” and “issue 55” can be combined in order to completely bypass Java’s security sandbox. It seems Java SE 7 Update 15 and all earlier versions are affected by this issue.

Java-vulnerabilities

As you can see from the quote below Oracle have confirmed receipt of the vulnerability details and proof of concept code but there is no news on if/when they will be fixed. Orale say that “issue 51” is currently being worked on even though this one was reported back in January.

“25-Feb-2013

– Vulnerability Notice along with a Proof of Concept code are sent to Oracle corporation (Issues 54 and 55).
– Oracle confirms successful reception and decryption of the vulnerability report. The company informs that it will investigate based on the data provided and get back to us soon.
– Oracle provides a monthly status report for the reported issues. The company informs that Issue 51 is under investigation / being fixed in main codeline. The report does not mention Issues 54 and 55 yet.
– Oracle provides tracking numbers for Issues 54 and 55.”
Security-explorations

With all the high profile breaches lately, i.e. Microsoft, Apple and Facebook, it is advisable as ever to disable Java in the browser unless specifically required. Recent versions of Java allow the user to disable it in the browser via a switch in the Java Control Panel (instructions for doing just that from Oracle).

photo: Tama Leaver

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Trackbacks

  1. […] you can’t go a week without another problem being detected with Java. Just a few days after two new vulnerabilities were discovered and we have another Java 0-day. This one – CVE-2013-1493 – has been discovered by […]

  2. […] I’m wondering how much time is left for Flash as well as Java (two more vulnerabilities were discovered yesterday) as they seem to be targeted way too often […]

Speak Your Mind

*