Geek News: Latest Technology, Product Reviews, Gadgets and Tech Podcast News for Geeks

Java updated last week, still vulnerable today

Posted by Alan at 11:30 AM on April 23, 2013

java downloads

Oracle’s Java platform seems to be in an endless battle with Adobe Flash to see which can take the crown as the most compromised platform on your computer. Last week Oracle rolled out 42 patches for known security holes — and this was just another day for the oft-attacked software.

Now Security Explorations of Poland has announced it has found a new Reflection API vulnerability that affects all Java versions, including 7u21, which was just released last Tuesday. “It can be used to achieve a complete Java security sandbox bypass on a target system,” Gowdiak wrote on the Full Disclosure mailing list on Monday.

Attackers can exploit this latest vulnerability to achieve a complete Java security sandbox escape, Gowdiak says, adding that he also sent proof-of-concept code to Oracle demonstrating an exploit.

There is no telling when Oracle will patch this latest flaw, but the company generally follows a Microsoft-like approach, rolling out updates in one big release.

Really, the best solution is to simply uninstall Java if you have no need for the service.  Also, do not confuse Java with Javascript, which is mostly safe. Java can also be disabled within your browser —  a move I recommend you making.

6 Comments

  1. From LuzieNews at 11:30 am on April 23, 2013

    Jave updated last week, still vulnerable today http://t.co/jrtQsEjBSO

  2. From imjay07 at 12:00 pm on April 23, 2013

    Jave updated last week, still vulnerable today: Oracle’s Java platform seems to be in an endless battle with A… http://t.co/eHhYSrsDk6

  3. From Anthony J Clink at 12:10 pm on April 23, 2013

    Where is this sample code or referencing article?

  4. From Alan Buckingham at 12:13 pm on April 23, 2013

    The code was not released for obvious reasons. The reference was listed in the article, but here it is again – http://seclists.org/fulldisclosure/2013/Apr/194

  5. From LuzieNews at 12:30 pm on April 23, 2013

    Java updated last week, still vulnerable today http://t.co/jrtQsEjBSO

  6. From thehovercam at 12:33 pm on April 23, 2013

    RT @geeknews Java updated last week, still vulnerable today: Oracle’s Java platform seems to be in an en… http://t.co/s83NG2zfMr #geek