[SE-2012-01] Regarding Oracle's Critical Patch Update for Java SE Jun 13 2012 12:42PM
Security Explorations (contact security-explorations com)

Dear All,

Yesterday, Oracle released its Critical Patch Update for Java SE
software [1], which incorporates fixes for 3 of more than 20+
security issues that were reported to the company in Apr 2012 [2].

We would like to inform, that while some of the Proof of Concept
codes we developed for the aforementioned issues do not work anymore,
there are still many of them that haven't been addressed yet and that
can be successfully exploited to achieve a complete security sandbox
bypass in the environment of affected Java software.

For those willing to acquire a little bit more information about
the security issues found, we have added new FAQ and PoC pages to
our website:


Full technical details of discovered vulnerabilities and attacks
will be published at some later time.

At the end, we would like to take the opportunity and to kindly ask
Apple security people to take the time and respond to our email
inquiries. We can imagine that a full Java sandbox compromise on
Windows OS caused by a combination of Java SE and Apple Quicktime
issues [3] might not be of a high priority thing for the company.
But, it's probably better to actually take the notice, especially
if the company fails to develop a fix for same security issue a
fourth time in a row.

Thank you.

Best Regards
Adam Gowdiak

Security Explorations
"We bring security research to the new level"

[1] Oracle Java SE Critical Patch Update Advisory - June 2012

[2] SE-2012-01 Security vulnerabilities in Java SE
[3] Security weakness in Apple Quicktime Java extensions

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus