Security firm publishes details about Java issue, asks for second opinion
Posted on 19 March 2013.
Making good on their promise, Security Exploration has published technical details about a Java issue that they consider to be a security vulnerability, but Oracle has categorized as demonstrating "allowed behavior".


"As of Mar 18, 2013 no information was received from Oracle that would indicate that Issue 54 is treated by the company as a security vulnerability," they wrote on Monday.

"Security Explorations believes that 3 weeks (from Feb 25 to Mar 18) constitutes enough time for a major software vendor to deliver a final confirmation or denial of a reported issue. This especially concerns a vendor that has been a subject of a considerable criticism regarding competent and prompt handling of security vulnerabilities in its software."

The firm published a document containing details about the issue, and explanation about why they consider it a vulnerability, its impact, and Oracle's response.

"Described Issue 54 is not sufficient to implement a functional and successful attack code in the environment of Java SE 7. Security Explorations discovered another issue (number 55) affecting Oracle’s Java SE 7 that allows to do this.Issues 54 and 55, when combined together can be used to successfully achieve a complete Java security sandbox bypass in a target system," the firm explained, and said that they are hoping that other researchers will use the published information to conduct an independent evaluation of the issue and provide an opinion on whether it should be considered a security vulnerability or not.









Spotlight

USBdriveby: Compromising computers with a $20 microcontroller

Posted on 19 December 2014.  |  Security researcher Samy Kamkar has devised a fast and easy way to compromise an unlocked computer and open a backdoor on it: a simple and cheap ($20) pre-programmed Teensy microcontroller.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Fri, Dec 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //