Adam Gowdiak, CEO and founder of Security Explorations, has discovered a way to bypass the sandbox built into Java — which isolates the Java platform from the operating system, with the idea of making it difficult for malware to attack the host operating system — making those with Java installed on their systems vulnerable to attack again.
Gowdiak is a very experienced Java hacker, and has uncovered over 50 security issues in the Java platform over the recent years.
“Once we found that our complete Java sandbox bypass codes stopped working after the update was applied, we looked again at POC [proof of concept] codes and started to think about the possible ways of how to fully break the latest Java update again,” Gowdiak told ComputerWorld. “A new idea came, it was verified and it turned out that this was it”.
Gowdiak went on to tell The Register that the latest vulnerability is related to bugs that he reported to Oracle back in April which the company is yet to patch.
In order to keep the vulnerability out of the hands of hackers, Gowdiak won’t be publishing details of how to make use of it. He does not know if or when Oracle plans to issue a patch for the vulnerability.
As to the chances of hackers discovering this vulnerability independently, he doesn’t rule that out but says that this issue is “a little bit more difficult to find “.
This latest vulnerability in Java reinforces my belief that the if you don’t need Java — and chances are nowadays that unless you know why you need it, you don’t — then you should disable it, whether you are running Windows or Mac. This is not as easy to do as it should be, but this guide to disabling Java will help you for the different browsers under both Windows and Mac.