On Tue, Sep 25, 2012 at 1:47 AM, Security Explorations <[email protected]> wrote: > > Hello All, > > We've recently discovered yet another security vulnerability > affecting all latest versions of Oracle Java SE software. The > impact of this issue is critical - we were able to successfully > exploit it and achieve a complete Java security sandbox bypass > in the environment of Java SE 5, 6 and 7. So far, we could only > claim such an impact with reference to Java 7 environment (the > Apple QuickTime attack relying on Issues 15 and 22 is the only > exception here). Thus, this post.
I don't see any details? This list is "full disclosure", not "touch self in public". Cheers Chris > > The newly discovered bug is special for several reasons. This > is our "anniversary" finding (Issue number 50). We discovered > it exclusively for JavaOne 2012 [1]. Finally, the bug allows > to violate a fundamental security constraint of a Java Virtual > Machine (type safety). > > The following Java SE versions were verified to be vulnerable: > - Java SE 5 Update 22 (build 1.5.0_22-b03) > - Java SE 6 Update 35 (build 1.6.0_35-b10) > - Java SE 7 Update 7 (build 1.7.0_07-b10) > > All tests were successfully conducted in the environment of a > fully patched Windows 7 32-bit system and with the following > web browser applications: > - Firefox 15.0.1 > - Google Chrome 21.0.1180.89 > - Internet Explorer 9.0.8112.16421 (update 9.0.10) > - Opera 12.02 (build 1578) > - Safari 5.1.7 (7534.57.2) > > To fulfill the Pro Bono mission of our SE-2012-01 project [2], > we have provided Oracle corporation with a technical description > of the issue found along with a source and binary codes of our > Proof of Concept code demonstrating a complete Java security > sandbox bypass in the environment of Java SE 5, 6 and 7. > > We hope that a news about one billion users of Oracle Java SE > software [3] being vulnerable to yet another security flaw is not > gonna spoil the taste of Larry Ellison's [4] morning...Java. > > Thank you. > > Best Regards, > Adam Gowdiak > > --------------------------------------------- > Security Explorations > http://www.security-explorations.com > "We bring security research to the new level" > --------------------------------------------- > > References: > [1] Oracle Begins Final Preparations for JavaOne San Francisco 2012 > and Announces Keynote Lineup > http://www.oracle.com/us/corporate/press/1843546 > [2] SE-2012-01 Security vulnerabilities in Java SE > http://www.security-explorations.com/en/SE-2012-01.html > [3] Learn About Java Technology > http://java.com/en/about/ > [4] Larry Ellison > http://www.forbes.com/profile/larry-ellison/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
