Home page logo
/

bugtraq logo Bugtraq mailing list archives

[SE-2012-01] An issue with new Java SE 7 security features
From: Security Explorations <contact () security-explorations com>
Date: Sun, 27 Jan 2013 11:01:50 +0100


Hello All,

According to Oracle's Java security head, the company has
recently made "very significant" security improvements to
Java, such as to prevent silent exploits. The problem is
that "people don't understand those features yet" [1].

Starting from Java SE 7 Update 10 released in Oct 2012, a
user may control the level of security that will be used
when running unsigned Java apps in a web browser [2][3].
Apart from being able to completely disable Java content
in the browser, the following four security levels can be
used for the configuration of unsigned Java applications:
- Low
  Most unsigned Java apps in the browser will run without
  prompting unless they request access to a specific old
  version of JRE or to protected resources on the system.
- Medium Unsigned Java apps in the browser will run without
  prompting only if the Java version is considered secure.
  User will be prompted if an unsigned app requests to run
  on an old version of Java.
- High
  User will be prompted before any unsigned Java app runs in
  the browser. If the JRE is below the security baseline,
  user will be given an option to update.
- Very High
  Unsigned (sandboxed) apps will not run.

Unfortunately, the above is only a theory. In practice, it
is possible to execute an unsigned (and malicious!) Java
code without a prompt corresponding to security settings
configured in Java Control Panel.

What we found out and what is a subject of a new security
vulnerability (Issue 53) is that unsigned Java code can be
successfully executed on a target Windows system regardless
of the four Java Control Panel settings described above.
Our Proof of Concept code that illustrates Issue 53 has been
successfully executed in the environment of latest Java SE
7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS
and with "Very High" Java Control Panel security settings.

That said, recently made security "improvements" to Java
SE 7 software don't prevent silent exploits at all. Users
that require Java content in the web browser need to rely
on a Click to Play technology implemented by several web
browser vendors in order to mitigate the risk of a silent
Java Plugin exploit.

Thank you.

Best Regards
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] Oracle's Java security head: We will 'fix Java,' communicate better

http://www.computerworld.com/s/article/9236230/Oracle_s_Java_security_head_We_will_fix_Java_communicate_better
[2] Setting the Security Level of the Java Client

http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html
[3] Understanding the new security in Java 7 Update 11 by Michael Horowitz

http://blogs.computerworld.com/cybercrime-and-hacking/21664/understanding-new-security-java-7-update-11


  By Date           By Thread  

Current thread:
  • [SE-2012-01] An issue with new Java SE 7 security features Security Explorations (Jan 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]