Nytro Posted January 29, 2013 Report Posted January 29, 2013 An issue with new Java SE 7 security featuresFrom: Security Explorations <contact () security-explorations com> Date: Sun, 27 Jan 2013 11:01:50 +0100 Hello All,According to Oracle's Java security head, the company hasrecently made "very significant" security improvements toJava, such as to prevent silent exploits. The problem isthat "people don't understand those features yet" [1].Starting from Java SE 7 Update 10 released in Oct 2012, auser may control the level of security that will be usedwhen running unsigned Java apps in a web browser [2][3].Apart from being able to completely disable Java contentin the browser, the following four security levels can beused for the configuration of unsigned Java applications:- Low Most unsigned Java apps in the browser will run without prompting unless they request access to a specific old version of JRE or to protected resources on the system.- Medium Unsigned Java apps in the browser will run without prompting only if the Java version is considered secure. User will be prompted if an unsigned app requests to run on an old version of Java.- High User will be prompted before any unsigned Java app runs in the browser. If the JRE is below the security baseline, user will be given an option to update.- Very High Unsigned (sandboxed) apps will not run.Unfortunately, the above is only a theory. In practice, itis possible to execute an unsigned (and malicious!) Javacode without a prompt corresponding to security settingsconfigured in Java Control Panel.What we found out and what is a subject of a new securityvulnerability (Issue 53) is that unsigned Java code can besuccessfully executed on a target Windows system regardlessof the four Java Control Panel settings described above.Our Proof of Concept code that illustrates Issue 53 has beensuccessfully executed in the environment of latest Java SE7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OSand with "Very High" Java Control Panel security settings.That said, recently made security "improvements" to JavaSE 7 software don't prevent silent exploits at all. Usersthat require Java content in the web browser need to relyon a Click to Play technology implemented by several webbrowser vendors in order to mitigate the risk of a silentJava Plugin exploit.Thank you.Best RegardsAdam Gowdiak---------------------------------------------Security Explorationshttp://www.security-explorations.com"We bring security research to the new level"---------------------------------------------References:[1] Oracle's Java security head: We will 'fix Java,' communicate betterhttp://www.computerworld.com/s/article/9236230/Oracle_s_Java_security_head_We_will_fix_Java_communicate_better [2] Setting the Security Level of the Java Clienthttp://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html[3] Understanding the new security in Java 7 Update 11 by Michael Horowitzhttp://blogs.computerworld.com/cybercrime-and-hacking/21664/understanding-new-security-java-7-update-11_______________________________________________Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/Sursa: Full Disclosure: [sE-2012-01] An issue with new Java SE 7 security features Quote
