Just one week after a major security patch for Java, yet another security vulnerability has been discovered. The vulnerability does require users to accept the risk when a security warning window is displayed, but simple social engineering could entice enough users to allow the hack.
The researcher who discovered the problem, Adam Gowdiak of Polish Security Explorations, has made a name for himself discovering numerous Java zero-day vulnerabilities. In an internet posting, as reported by nakedsecurity.com, Gowdiak claims to have sent Oracle a report about a reflection API vulnerability in the newly shipped Server Java Runtime Environment (JRE), to notify them of the new security weakness.
Naked Security is quick to point out that things could have been much worse. Even if there is a vulnerability for hackers to exploit, the users are still prompted with a security dialogue that allows them to block the malicious activity, if they are suspicious enough about the threat.
And Oracle, the creator of Java, has certainly been feeling the heat lately. Just in the past few days, attack code targeting one of the many remote-execution vulnerabilities fixed in Java 7 Update 21 was folded into either the RedKit or CrimeBoss exploit kit. By Sunday, that attack code was being actively unleashed on unsuspecting end users, according to arstechnica.com.
To blast through the technical jargon for all you average Joes out there, Oracle describes the vulnerability as allowing execution, meaning access to your computer, with authentication, meaning without your permission. This particular vulnerability allows malware purveyors to abuse advertising networks of legitimate enterprisers, like news websites, etc, that readers regularly visit and trust. So, it’s an imperative to have your machine updated ASAP.
To be far to Oracle, the fact that so many applications require Java makes it an attractive target for cyber criminals, who know that most users have the application installed on their computers. But such flagrant security vulnerabilities are not acceptable for an application that sees almost universal usage in the modern computer world.
With increased market share comes increased responsibility for Oracle. Be sure to download that update as soon as it is released.