Critical Java Vulnerability Made Possible by Earlier Incomplete Patch (Updated)
The critical Java vulnerability that is currently under attack was made possible by an incomplete patch Oracle developers issued last year to fix an earlier security bug, a researcher said.
The revelation, made Friday by Adam Gowdiak of Poland-based Security Explorations, is the latest black eye for Oracle’s Java software framework which is installed on more than 1 billion PCs, smartphones, and other devices. Last year saw a steady stream of attacks that exploited Java vulnerabilities, allowing miscreants to surreptitiously install keyloggers and other malicious software when unwitting people browsed compromised websites. The abuse has already continued into 2013, when on Thursday researchers reported yet another critical bug that is being “massively exploited in the wild”.
According to Gowdiak, the latest vulnerability is a holdover from a bug (referred to here as Issue 32) that Security Explorations researchers reported to Oracle in late August. Oracle released a patch for the issue in October but it was incomplete, he said in an e-mail to Ars that was later published to the Bugtraq mailing list.
“Bugs are like mushrooms, in many cases they can be found in a close proximity to those already spotted,” Gowdiak wrote. “It looks like Oracle either stopped the picking too early or they are still deep in the woods.”
Update: Asked for comment on Gowdiak’s comments, an Oracle spokeswoman e-mailed the following statement: “Oracle is aware of a flaw in Java software integrated with web browsers. The flaw is limited to JDK7. It does not exist in other releases of Java, and does not affect Java applications directly installed and running on servers, desktops, laptops, and other devices. A fix will be available shortly.”
Exploits of the latest Java vulnerability, which were first observed more than a month ago, are the combination of two bugs. The first involves the Class.forName() method and allows the loading of arbitrary (restricted) classes. The second bug relies on the invokeWithArguments method call and was also a problem with Issue 32 that Oracle purportedly patched in October.