Industry News

Zero-Day Flaws in Java Re-Emerge; No Exploitation in the Wild Yet

Two new security flaws have been detected in the latest version of Java 7 (Update 15) by security researchers at Polish company Security Explorations.

According to their account, the security issues dubbed “issue 54″ and “issue 55″ can be combined to bypass the Java sandbox and execute privileged arbitrary code from an untrusted source. Although the flaws were discovered before they got exploited in the wild, cyber-criminals may start using them before an official fix becomes available.

“Both new issues are specific to Java SE 7 only. They allow to abuse the Reflection API in a particularly interesting way,” Security Explorations CEO Adam Gowdiak told Softpedia. “Without going into further details, everything indicates that the ball is in Oracle’s court. Again.”

According to the specialists at Security Explorations, the exploitation mechanism has been confirmed to work with the first version of Java 7, Java 7 u11, and the latest version available, Java 7 u15. Both issues have been documented and delivered to Oracle along with proof-of-concept code.

If the flaws don’t get exploited in the wild in the meantime, the patch will likely show up on April 16, during the regular patch update.  As usual, we recommend you enable the Java browser plugin only when you need to access a trustworthy resource requiring it. You should deactivate Java again when you’re done with it.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

1 Comment

Click here to post a comment