Researcher uncovers new Java exploit, 1 billion Macs and PCs at risk

By on September 26, 2012, 1:30 PM

Security researcher Adam Gowdiak has uncovered a new zero-day vulnerability in Oracle’s Java software. The bug is said to be present in currently-supported versions including Java 5, Java 6 and Java 7 and has the potential to allow attackers to install malware on nearly 1 billion systems (based on installation numbers from Oracle).

The exploit affects Macs and PCs equally which means that any system running Java could be at risk. The good news, at least for now, is that it poses little danger to the general public. Gowdiak, who’s known for finding similar chinks in Java’s armor, said he isn’t aware of any active attacks that exploit this particular vulnerability.

He reportedly discovered it last week and spent this past weekend testing a proof-of-concept before revealing it to Oracle yesterday. The software company has since confirmed the vulnerability with Gowdiak and said it will be patched in a future security update. They didn’t mention when exactly this would occur but the next scheduled update on Oracle’s calendar is October 16.

The security researcher said he decided to go public with his findings, short of detailing exactly how to exploit the vulnerability, in the hope that it would put pressure on Oracle to patch it sooner rather than later. He’s hoping the software company will be able to get the work done in time for next month’s patch update before hackers can discover it on their own.




User Comments: 20

Got something to say? Post a comment
andrewdoyle88 andrewdoyle88 said:

My Java is acting up in chrome, says its blocked because its out of date but once updated it does the same thing.

Guest said:

Time to uninstall java....never liked it anyways.

bexwhitt said:

When I fix a pc these days I usually uninstall java

Camikazi said:

I haven't found a program that I use that needs Java, so I have had no problems since I uninstalled it a while ago.

pmkrefeld said:

I just loled about people having no idea what they are doing and I do not mean Oracle xD

Alexmx said:

I haven't found a program that I use that needs Java, so I have had no problems since I uninstalled it a while ago.

sadly, here in my work we use a java based platform...=/

ramonsterns said:

If it's not one thing it's another, I'm tired of Java putting out their crap like this. Uninstalled.

Guest said:

Adam Gowdiak has uncovered a potential bug in Java.

He isn't aware of any active attacks that exploit this particular vulnerability

So he,

Spent a week testing a proof-of-concept before revealing it to Oracle yesterday.

The software company has since confirmed it will be patched in a future security update.

What does Gowdiak do?

before hackers can discover it on their own. Gowdiak decided to go public with his findings

Darth Shiv Darth Shiv said:

Adam Gowdiak has uncovered a potential bug in Java.

He isn?t aware of any active attacks that exploit this particular vulnerability

So he,

Spent a week testing a proof-of-concept before revealing it to Oracle yesterday.

The software company has since confirmed it will be patched in a future security update.

What does Gowdiak do?

before hackers can discover it on their own. Gowdiak decided to go public with his findings

Has he actually publicly disclosed the vulnerability attack vector? Or just it's existence?

treetops treetops said:

Java has always seemed to have security problems how about they let you click a check box only install month old updates.

Wagan8r Wagan8r said:

I love how nobody commenting even knows what Java is, yet are all too eager to jump on the Java bashing bandwagon.

Camikazi said:

I love how nobody commenting even knows what Java is, yet are all too eager to jump on the Java bashing bandwagon.

Seems to me they know what Java is and most are right that Java has been full of holes and bugs for a long time, rivaling Flash in that regard. Now unless you have some info on why you think people commenting don't know what Java is I will assume you are confusing it with java script  and are really the one in error.

spydercanopus spydercanopus said:

I've been getting 'invalid security certificate' warnings when java checks for updates for the last month or so.

Staff
Per Hansson Per Hansson, TS Server Guru, said:

There exists other unpatched holes in Java and has for a couple of weeks now.

They are already part of the Blackhole exploit kit so it's out there and being actively exploited.

I'd advise to either disable Java in all your browsers (Easier on some than others)

Or just uninstalling Java

cliffordcooley cliffordcooley, TechSpot Paladin, said:

Can someone correct me if I'm mistaken?

I've always assumed Java was the base code which allows Java-script to run. And even if Java was uninstalled the browser is still capable of the most basic elements of Java.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I am not a programmer and will never fully understand how applications are coded or how updates are implemented. I am forced to trust others to do programming that I require for my applications. I think I can speak for over half the worlds population and say they don't either. I know I don't keep up with the latest and greatest updates, which might leave my machine at risk the greatest amount of time. It's not that I don't want my PC updated to be the most secure, I just don't spend time checking for updates. Even when an update is presented, I may even ignore them because there are so many applications that want to update regularly.

I know I might stir up a stink with this comment.

Maybe applications with potential for security holes should disable themselves or at least the code with the security issue, if there has been an update for over 30 days. Since I'm already dependent on programmers that offer the application, I see no reason why I shouldn't be required to keep the application updated if I plan to continue using it. I would be more apt to stay updated, if what I'm trying to do requires an update before processing. I think this would hold true for more people than just myself.

Out of all the PC's being compromised, the only way to decrease these numbers is to decrease the potential for these PC's to be compromised.

I will leave with a final thought.

Out of all the PC's contributing to bot-nets without the users knowledge, I wonder if some of them could have been protected by applications automatically disabling outdated code.

2 people like this | Wagan8r Wagan8r said:

I love how nobody commenting even knows what Java is, yet are all too eager to jump on the Java bashing bandwagon.

Seems to me they know what Java is and most are right that Java has been full of holes and bugs for a long time, rivaling Flash in that regard. Now unless you have some info on why you think people commenting don't know what Java is I will assume you are confusing it with java script  and are really the one in error.

Yeah, no. Java and java script  are two entirely unrelated technologies. Do you really want me to go through each comment and point out how each one only signifies having heard of Java before?

No software is free from bugs. Something that is installed on a ridiculous amount of devices is going to be hit harder than those which are not, and vulnerabilities WILL be found no matter what the product is. Ever since Oracle bought out Sun, Java has been put on the back burner, so I blame Oracle for not fixing things, and not some fundamental problem with Java.

Can someone correct me if I'm mistaken?

I've always assumed Java was the base code which allows Java-script to run. And even if Java was uninstalled the browser is still capable of the most basic elements of Java.

No, Java and java script  have nothing in common. java script  is a scripting language that is used in a lot of webpages to execute conditional/algorithmic logic as HTML can only represent a page's layout.

Java is a collection of technologies, but is foremost a programming language. However, Java is also designed to be able to run on any platform (Windows, Linux, OSX, AIX, Solaris, etc.) without any code modifications spawning the "write once, run anywhere" (WORA) mantra. To do this however, there has to be a layer between the code that a programmer writes and the OS. This layer transforms the standard Java operations into understandable commands for the particular OS, and is therefore called the Java Virtual Machine (JVM). The JVM must be present on a computer for Java code to execute, so that is why you need to install the Java Runtime Environment (JRE) also known as "installing Java". Now, what might be confusing you in regard to java script  is that with Java, you can also embed little Java programs WITHIN a webpage. These programs are called applets (tiny apps). The image used in this article is a screenshot of an applet loading on a webpage. If Java is uninstalled, applets will no longer work within your browser, but java script  will still execute because it is not part of the Java platform.

3DCGMODELER 3DCGMODELER said:

If you disconnect you computer from the internet, the problem will be solved..

ta da..

easy fix ya think..

jobeard jobeard, TS Ambassador, said:

No, Java and java script  have nothing in common. java script  is a scripting language that is used in a lot of webpages to execute conditional/algorithmic logic as HTML can only represent a page's layout.

Java is a collection of technologies, but is foremost a programming language.-----.

Well said Wagan8r knows.

@Camikazi: I haven't found a program that I use that needs Java, so I have had no problems

Great - - life is easy for you. Personally I have a PGP tool that runs on a JRE layer. As it is well written,

it does not rely upon the commonly installed instance like the browser does. In fact, it is still a Java 5.x JRE (Wagan8r: watch'm carp on that stmt.) installed within the application install area. Runs great, is secure and is reliable. Java is cool when it is handled correctly

spydercanopus spydercanopus said:

You guys have obviously not played MINECRAFT! Requires JRE on server and client. Sweet, sweet Java

TJGeezer said:

@Wagan8r - Thanks for the clearest explanation I've seen, not only of the difference between Java and Java Script, but how Java works and the function of the JRE.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.