Less than a week after Oracle released a scheduled security update for Java, an exploit that takes advantage of one of the patched bugs has been added to a popular exploit toolkit.
Researchers at security firm F-Secure said that on Sunday they first witnessed signs of ongoing attacks, which take advantage of a vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17. The exploit has been added to commercially available exploit toolkits, including RedKit.
Meanwhile, a researcher has discovered a fresh, unpatched hole in Java 7, a reflection application program interface (API) flaw affecting all versions.
On Monday, Adam Gowdiak, CEO at Poland-based vulnerability research firm Security Explorations, notified Oracle of the bug. He sent the company a proof-of-concept code, and that same day also posted a message about the vulnerability on Full Disclosure mailing list.
According to Oracle, reflection API is an “advanced feature” that gives programs the ability to examine or modify run-time behaviors of applications running in Java.
The flaw could allow an attacker to complete a Java security sandbox bypass, according to Gowdiak. The user will first see a window displaying a security warning before the vulnerability can be exploited.
“Successful exploitation in a web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed),” Gowdiak wrote. “What's interesting is that the new issue is present not only in the [Java Runtime Environment] Plugin … but also the recently announced Server JRE as well."
Oracle's security update last week included 42 fixes for bugs in Java and an improved notification system to help users determine the trustworthiness of Java programs before executing them.
SC reached out to Oracle, Java's maker, but did not immediately hear back.
Exploits that take advantage of outdated Java installations remain a prevalent threat for enterprises. Last month, Websense data found that only 5.5 percent of browsers with Java enabled are running the most current version of the software.
Mark Reinhold, chief architect of the Java platform group, last week announced that Java 8 would be pushed back until the first quarter of 2014, even though the platform was scheduled to become available in early September, due to security concerns.