Oracle Java findMethod findClass Security Bypass

Added: 08/30/2012
CVE: CVE-2012-4681
BID: 55213
OSVDB: 84867

Background

Java is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets.

Problem

In Java 7.0 prior to Update 7, two vulnerabilities exist that allow malicious applets to execute arbitrary code outside the Java security sandbox. If an attacker were to host such a malicious applet on a website, they could execute arbitrary code on the systems of any vulnerable users who load the applet.

Resolution

Update to Java 7 Update 7.

References

<http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html&gt;
<http://krebsonsecurity.com/2012/08/attackers-pounce-on-zero-day-java-exploit/&gt;
<http://www.techworld.com.au/article/434757/unpatched_java_vulnerability_exploited_targeted_attacks_researchers_say/&gt;

Limitations

This exploit has been tested against Oracle JRE 7 Update 6 on the following platforms:

• Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn) using Internet Explorer 8 or 9
• Apple Mac OS X 10.7.4 using Safari
• Ubuntu Desktop 12.04 LTS using Firefox

Platforms

Windows
Mac OS X
Linux