Security researchers claim Oracle knew about Java zero day flaw since April

[ShyWriter]

.

Security researchers claim Oracle knew about Java zero day flaw since April

Vendors blast tech giant for lack of action

By Alastair Stevenson

Thu Aug 30 2012, 12:32

SECURITY VENDORS HAVE slammed Oracle for not fixing a Java Zero Day vulnerability they claim the company was made aware of in April.

News that the Oracle had been contacted about the flaw earlier in the year broke when Security Explorations re-published data showing its past correspondence.

At the time of publishing Oracle had declined The INQUIRER's request for comment.

Following the revelation Security firm FireEye renewed its criticism of Oracle calling for it to release and immediate fix for the flaw

"Oracle patches Java related modules on a bi-monthly basis. We have rarely seen them issue an out of cycle patch. The next patch is scheduled for 16 October," he told The INQUIRER.

"Looks like Oracle once again is going to ignore the seriousness of this flaw and stick to their existing patch policy."

Mushtaq went on to warn that the Java flaw has become more dangerous after an exploit for it was recently added to the Blackhole malware kit.

"Keeping in mind the millions of machines running vulnerable versions of Java and hundreds of Blackhole users, I have no doubt that unless Oracle quickly moves for a patch, the next few months will be disastrous for many internet users," he said.

Furthermore, Fireeye's attack comes as Security Explorations republished data on its blog indicating it had contacted Oracle about the flaw back in April but the company took no action.

Oracle declined to comment on these revelations.

Providing more details on the threat, Mushtaq explained that the exploit appears to work by targeting two vulnerabilities within Java to install malware onto targeted machines.

"This attack exploits functionality offered by two recently added vulnerable Java class methods. The attacker's main target is the Java Security Manager (JSM)," he explained.

"By calling vulnerable methods in a certain sequence, an attacker can disable the JSM. In an example attack scenario a user might receive a phishing email from an attacker luring him to click on a web link.

"This link, while running inside the user's browser, will load a malicious Java applet and use the vulnerability to get privileges to run any program on the user's system without his/her permission."

The scale of flaw's damage remains unknown, though Mushtaq warned it could lead to a malware pandemic if it remains unpatched.

"So far we have seen attackers successfully able to run banking Trojans and spying toolkits on several thousand windows machines running the vulnerable Java version," he said.

"Unlike other exploits that may crash your browser and give you a feeling that something is wrong, this attack really works silently." µ

SOURCE: http://www.theinquir...a-zero-day-flaw

Steve

[ShyWriter]

.

Adam Gowdiak: Oracle knew about Java vulnerabilities for months

Submitted by l33tdawg on Thu, 2012-08-30 00:50

Oracle knew since April about the existence of the two unpatched Java 7 vulnerabilities that are currently being exploited in malware attacks, according to Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations.

Security Explorations reported 19 Java 7 security issues to Oracle on Apr. 2. Those issues included the two zero-day -- unpatched -- vulnerabilities that attackers are exploiting to infect computers with malware, Gowdiak said Wednesday via email.

SOURCE: http://news.hitb.org...bilities-months

Steve