The critical Java vulnerability that is currently under attack was made possible by an incomplete patch Oracle developers issued last year to fix an earlier security bug, a researcher said.
The revelation, made Friday by Adam Gowdiak of Poland-based Security Explorations, is the latest black eye for Oracle’s Java software framework which is installed on more than 1 billion PCs, smartphones, and other devices. Last year saw a steady stream of attacks that exploited Java vulnerabilities, allowing miscreants to surreptitiously install keyloggers and other malicious software when unwitting people browsed compromised websites. The abuse has already continued into 2013, when on Thursday researchers reported yet another critical bug that is being “massively exploited in the wild”.
According to Gowdiak, the latest vulnerability is a holdover from a bug (referred to here as Issue 32) that Security Explorations researchers reported to Oracle in late August. Oracle released a patch for the issue in October but it was incomplete, he said in an e-mail to Ars that was later published to the Bugtraq mailing list.
“Bugs are like mushrooms, in many cases they can be found in a close proximity to those already spotted,” Gowdiak wrote. “It looks like Oracle either stopped the picking too early or they are still deep in the woods.”
Update: Asked for comment on Gowdiak’s comments, an Oracle spokeswoman e-mailed the following statement: “Oracle is aware of a flaw in Java software integrated with web browsers. The flaw is limited to JDK7. It does not exist in other releases of Java, and does not affect Java applications directly installed and running on servers, desktops, laptops, and other devices. A fix will be available shortly.”
Exploits of the latest Java vulnerability, which were first observed more than a month ago, are the combination of two bugs. The first involves the Class.forName() method and allows the loading of arbitrary (restricted) classes. The second bug relies on the invokeWithArguments method call and was also a problem with Issue 32 that Oracle purportedly patched in October.
n enormous brood of cicadas that covers parts of 16 states is beginning to wake from its 13-year slumber underground.
The inch-long insects, which are sometimes mistakenly called 17-year locusts, have been reported hatching in South Carolina, Georgia, Mississippi, North Carolina and Arkansas. They will appear farther north as soil temperatures reach 64 degrees.
“There are billions of them in the trees,” Greta Beekhuis says, speaking by phone from her porch in Pittsboro, N.C. The sound of the cicadas is clearly audible over the line. “When I drove from my house to the grocery store, I ran over thousands of them. They’re everywhere. The air is just thick with them.”
Solar-Powered Hornet Found; Turns Light Into Electricity In an animal kingdom first, insect’s ‘skin’ pigments convert sunlight i
The oriental hornet has built-in “solar cells” that generate electricity from sunlight—a first in the animal kingdom, according to a new study.
Scientists already knew that the hornet species, for unknown reasons, produced electricity inside its exoskeleton, according to study leader Marian Plotkin of Tel-Aviv University.
Plotkin’s late mentor Jacob Ishay made the discovery after observing that the insect is active when the sun is most intense—unusual for hornets.
Plotkin and colleagues recently went a step further by examining the structure of the hornet’s exoskeleton to find out how the electricity is produced.
Their research revealed that pigments in the hornet’s yellow tissues trap light, while its brown tissues generate electricity. Exactly how the hornets use this electricity is still not entirely understood, Plotkin noted.