If you were one of the people who promptly updated the Java installation on your system last week, then you probably felt like things should be in good shape for a bit. Guess again. As seems to be the pattern lately, another new security hole has already been found that affects all versions of Java 7 including the latest release.
The latest security hole was found in the Reflection API and affects all Java 7 (JRE 7) versions including last week’s 1.7.0_21-b11 release. An unusual aspect of the security hole is its presence in the JRE Plugin, JDK software, and Server JRE. The ability for the new exploit to wholly affect a system is dependent on the amount of access the user allows though.
From the Full Disclosure blog post: The new flaw was verified to affect all versions of Java SE 7 (including the recently released 1.7.0_21-b11). It can be used to achieve a complete Java security sandbox bypass on a target system. Successful exploitation in a web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed).
You can read more about the latest security hole at the blog posts linked below…
Note: If you do not need Java on your system, we recommend uninstalling it entirely or disabling the browser plugin.
[SE-2012-01] Yet another Reflection API flaw affecting Oracle’s Java SE [Full Disclosure Mailing List Archives - Seclists.org]
- Published 04/24/13