[SE-2012-01] Regarding Oracle's Critical Patch Update for Java SE

Type securityvulns
Reporter Securityvulns
Modified 2012-06-17T00:00:00


Dear All,

Yesterday, Oracle released its Critical Patch Update for Java SE software [1], which incorporates fixes for 3 of more than 20+ security issues that were reported to the company in Apr 2012 [2].

We would like to inform, that while some of the Proof of Concept codes we developed for the aforementioned issues do not work anymore, there are still many of them that haven't been addressed yet and that can be successfully exploited to achieve a complete security sandbox bypass in the environment of affected Java software.

For those willing to acquire a little bit more information about the security issues found, we have added new FAQ and PoC pages to our website:

http://www.security-explorations.com/en/SE-2012-01-faq.html http://www.security-explorations.com/en/SE-2012-01-poc.html

Full technical details of discovered vulnerabilities and attacks will be published at some later time.

At the end, we would like to take the opportunity and to kindly ask Apple security people to take the time and respond to our email inquiries. We can imagine that a full Java sandbox compromise on Windows OS caused by a combination of Java SE and Apple Quicktime issues [3] might not be of a high priority thing for the company. But, it's probably better to actually take the notice, especially if the company fails to develop a fix for same security issue a fourth time in a row.

Thank you.

Best Regards Adam Gowdiak

Security Explorations http://www.security-explorations.com "We bring security research to the new level"

References: [1] Oracle Java SE Critical Patch Update Advisory - June 2012

http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html [2] SE-2012-01 Security vulnerabilities in Java SE http://www.security-explorations.com/en/SE-2012-01.html [3] Security weakness in Apple Quicktime Java extensions http://seclists.org/bugtraq/2012/Apr/83