BugTraq
[SE-2012-01] information regarding recently discovered Java 7 attack Aug 28 2012 01:22PM
Security Explorations (contact security-explorations com) (2 replies)
[SE-2012-01] New security issue affecting Java SE 7 Update 7 Aug 31 2012 10:07AM
Security Explorations (contact security-explorations com)

Hello All,

Yesterday, an out-of-band patch was released by Oracle [1], which
among other things incorporated fixes for the issues exploited by
the recent Java SE 7 attack code (ClassFinder / MethodFinder bugs).

One of the fixes incorporated in the released update also addressed
the exploitation vector with the use of the sun.awt.SunToolkit class.
Removing getField and getMethod methods from the implementation of
the aforementioned class caused all of our full sandbox bypass Proof
of Concept codes [2] not to work any more (please note, that not all
security issues that were reported in Apr 2012 got addressed by the
recent Java update).

Today we sent a security vulnerability report along with a Proof of
Concept code to Oracle. The code successfully demonstrates a complete
JVM sandbox bypass in the environment of a latest Java SE software
(version 7 Update 7 released on Aug 30, 2012). The reason for it is
a new security issue discovered, that made exploitation of some of
our not yet addressed bugs possible to exploit again.

Thank you.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] Oracle Security Alert for CVE-2012-4681

http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-18
35715.html
[2] SE-2012-01 Proof of Concept Codes (technical information)
http://www.security-explorations.com/en/SE-2012-01-poc.html

[ reply ]
Re: [Full-disclosure] [SE-2012-01] information regarding recently discovered Java 7 attack Aug 29 2012 04:10PM
Jeffrey Walton (noloader gmail com) (1 replies)
Re: [SE-2012-01] information regarding recently discovered Java 7 attack Aug 29 2012 06:40PM
Security Explorations (contact security-explorations com)


 

Privacy Statement
Copyright 2010, SecurityFocus