(LiveHacking.Com) – Adam Gowdiak, founder and CEO of Security Explorations, has posted information on the Full Disclosure mailing list about yet another security vulnerability affecting all the latest versions of Oracle’s Java SE software. He and his team have been able to successfully exploit the vulnerability and achieve a complete Java security sandbox bypass. The bug allows hackers / attackers to violate a fundamental security constraint (type safety) of a Java Virtual Machine.
The following Java SE versions were verified to be vulnerable:
- Java SE 5 Update 22 (build 1.5.0_22-b03)
- Java SE 6 Update 35 (build 1.6.0_35-b10)
- Java SE 7 Update 7 (build 1.7.0_07-b10)
It appears that all the major browsers (with Java plugins) are vulnerable. Tests on a fully patched Windows 7 32-bit system were able to compromise Firefox 15.0.1, Google Chrome 21.0.1180.89 and Internet Explorer 9.0.10.
Details have been given to Oracle along with a technical description of the issue found plus the source code for a Proof of Concept demonstrating the complete Java security sandbox bypass.