Full Disclosure mailing list archives

By Date By Thread [SE-2012-01] An issue with new Java SE 7 security features From: Security Explorations <contact () security-explorations com>

Date: Sun, 27 Jan 2013 11:01:50 +0100

Hello All, According to Oracle's Java security head, the company has recently made "very significant" security improvements to Java, such as to prevent silent exploits. The problem is that "people don't understand those features yet" [1]. Starting from Java SE 7 Update 10 released in Oct 2012, a user may control the level of security that will be used when running unsigned Java apps in a web browser [2][3]. Apart from being able to completely disable Java content in the browser, the following four security levels can be used for the configuration of unsigned Java applications: - Low Most unsigned Java apps in the browser will run without prompting unless they request access to a specific old version of JRE or to protected resources on the system. - Medium Unsigned Java apps in the browser will run without prompting only if the Java version is considered secure. User will be prompted if an unsigned app requests to run on an old version of Java. - High User will be prompted before any unsigned Java app runs in the browser. If the JRE is below the security baseline, user will be given an option to update. - Very High Unsigned (sandboxed) apps will not run. Unfortunately, the above is only a theory. In practice, it is possible to execute an unsigned (and malicious!) Java code without a prompt corresponding to security settings configured in Java Control Panel. What we found out and what is a subject of a new security vulnerability (Issue 53) is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings described above. Our Proof of Concept code that illustrates Issue 53 has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with "Very High" Java Control Panel security settings. That said, recently made security "improvements" to Java SE 7 software don't prevent silent exploits at all. Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit. Thank you. Best Regards Adam Gowdiak --------------------------------------------- Security Explorations http://www.security-explorations.com "We bring security research to the new level" --------------------------------------------- References: [1] Oracle's Java security head: We will 'fix Java,' communicate better http://www.computerworld.com/s/article/9236230/Oracle_s_Java_security_head_We_will_fix_Java_communicate_better [2] Setting the Security Level of the Java Client http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html [3] Understanding the new security in Java 7 Update 11 by Michael Horowitz http://blogs.computerworld.com/cybercrime-and-hacking/21664/understanding-new-security-java-7-update-11 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ By Date By Thread Current thread: [SE-2012-01] An issue with new Java SE 7 security features Security Explorations (Jan 27)