[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5104FB0E.1060201@security-explorations.com>
Date: Sun, 27 Jan 2013 11:01:50 +0100
From: Security Explorations <contact@...urity-explorations.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: [SE-2012-01] An issue with new Java SE 7 security
features
Hello All,
According to Oracle's Java security head, the company has
recently made "very significant" security improvements to
Java, such as to prevent silent exploits. The problem is
that "people don't understand those features yet" [1].
Starting from Java SE 7 Update 10 released in Oct 2012, a
user may control the level of security that will be used
when running unsigned Java apps in a web browser [2][3].
Apart from being able to completely disable Java content
in the browser, the following four security levels can be
used for the configuration of unsigned Java applications:
- Low
Most unsigned Java apps in the browser will run without
prompting unless they request access to a specific old
version of JRE or to protected resources on the system.
- Medium Unsigned Java apps in the browser will run without
prompting only if the Java version is considered secure.
User will be prompted if an unsigned app requests to run
on an old version of Java.
- High
User will be prompted before any unsigned Java app runs in
the browser. If the JRE is below the security baseline,
user will be given an option to update.
- Very High
Unsigned (sandboxed) apps will not run.
Unfortunately, the above is only a theory. In practice, it
is possible to execute an unsigned (and malicious!) Java
code without a prompt corresponding to security settings
configured in Java Control Panel.
What we found out and what is a subject of a new security
vulnerability (Issue 53) is that unsigned Java code can be
successfully executed on a target Windows system regardless
of the four Java Control Panel settings described above.
Our Proof of Concept code that illustrates Issue 53 has been
successfully executed in the environment of latest Java SE
7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS
and with "Very High" Java Control Panel security settings.
That said, recently made security "improvements" to Java
SE 7 software don't prevent silent exploits at all. Users
that require Java content in the web browser need to rely
on a Click to Play technology implemented by several web
browser vendors in order to mitigate the risk of a silent
Java Plugin exploit.
Thank you.
Best Regards
Adam Gowdiak
---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------
References:
[1] Oracle's Java security head: We will 'fix Java,' communicate better
http://www.computerworld.com/s/article/9236230/Oracle_s_Java_security_head_We_will_fix_Java_communicate_better
[2] Setting the Security Level of the Java Client
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html
[3] Understanding the new security in Java 7 Update 11 by Michael Horowitz
http://blogs.computerworld.com/cybercrime-and-hacking/21664/understanding-new-security-java-7-update-11
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists