29 January 2013
Security Explorations researcher Adam Gowdiak says Oracle's new defences for Java applets have already failed and features designed to prevent silent exploits of Java vulnerabilities are easily bypassed. Gowdiak was responding to Oracle's latest attempt to manage the security flaws that are being exposed in Java.
Oracle's Java security lead took to the phones last week to say the company needed to explain what it had done to secure Java in the wake of vulnerabilities previously discovered by Gowdiak. One of the changes was the ability to set a security level to control the execution of unsigned Java Applets to Low, Medium, High or Very High.
According to Oracle's documentation, the Low setting allowed unsigned applets to run, only prompting when a protected resource or old JRE was requested; Medium only ran applets if the version of Java was "considered secure"; High prompts before any unsigned Java applet runs; and, Very High should stop all unsigned applets running.
Gowdiak calls this "only a theory" and says that he has already developed a proof of concept applet which will successfully run on Windows systems with any of the Java applet security levels set. That includes the latest Java SE 7 Update 11 (1.7.0_11-b21) on Windows 7.
Although there are few details, Gowdiak's track record to date suggests that his bypass should hold up to scrutiny. There is no suggestion of his technique having been observed in the wild. His advice for avoiding silent exploits is to enable the "Click to Play" technology for plugins that is implemented in Chrome and Firefox.
Read the full story here: