Java, Java and once again Java, the popular framework and its vulnerabilities are becoming a really nightmare for security experts, billion of users and their machines are exposed to a series of attacks that try to exploit flaws in the Oracle software.
Security worldwide community attributes to the Java vulnerabilities the principal responsibilities for recent attacks against IT giants such as Microsoft, Facebook and Apple, but just while all discussing about the repercussion for the presence of 0-days vulnerabilities in the popular software a Polish security firm Security Explorations reported two new Java zero-day vulnerabilities, dubbed “issue 54” and “issue 55,”. Immediately the experts of Security Explorations have provided to Oracle proof of concept on what could be a new disaster for Java under security perspective.
Oracle’s security team has immediately started the necessary verifications, but there are many concerns related the possible presence of security flaws that could allow attackers to bypass Java’s security sandbox compromising target machine making possible the download of malicious code.
Recent incidents have demonstrated that hackers simply compromising a legitimate website with malicious code could exploit Java vulnerabilities in victim’s browser and infect the host.
Softpedia posted an article that reports declaration of Security Explorations CEO Adam Gowdiak:
“Both new issues are specific to Java SE 7 only. They allow to abuse the Reflection API in a particularly interesting way… Without going into further details, everything indicates that the ball is in Oracle’s court. Again.”
If the vulnerabilities will be confirmed Oracle will have to release a new patch as soon as possible to avoid further serious incidents, meantime it is strongly suggested to users to disable Java plugin for their browsers if it is not strictly necessary.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.