Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [SE-2012-01] Java 7 Update 11 confirmed to be vulnerable
From: bytze bytze <gbytze () gmail com>
Date: Mon, 21 Jan 2013 12:46:30 -0500

U guys are the best....thank u for what u do
On Jan 21, 2013 9:46 AM, "Security Explorations" <
contact () security-explorations com> wrote:

Hello All,

This post might be interesting for those concerned about the
state of Oracle's Java SE security.

We have successfully confirmed that a complete Java security
sandbox bypass can be still gained under the recent version
of Java 7 Update 11 [1] (JRE version 1.7.0_11-b21).

MBeanInstantiator bug (or rather a lack of a fix for it [2][3])
turned out to be quite inspirational for us. However, instead
of relying on this particular bug, we have decided to dig our
own issues. As a result, two new security vulnerabilities (51
and 52) were spotted in a recent version of Java SE 7 code and
they were reported to Oracle today [4] (along with a working
Proof of Concept code).

Thank you.

Best Regards
Adam Gowdiak

Security Explorations
"We bring security research to the new level"

[1] Oracle Security Alert for CVE-2013-0422

[2] Java 7 Update 11 Addresses the Flaw Partly Fixed in October 2012,
Experts Say

[3] Confirmed: Java only fixed one of the two bugs

[4] SE-2012-01 Vendors status

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]