New Java Vulnerability Allows Sandbox Bypass

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I bet this exploit fails on win-98 systems.

I have 1.6.0_30 (Java 6 Update 30) installed on this win-98 system of
mine.  If anyone can point me to the PoC code mentioned below, I'll try
it on and post my results...


Researchers at Security Explorations have uncovered a new critical
zero-day flaw affecting all-supported versions of Oracle Java.

The bug discovery was announced Tuesday on the Full Disclosure security
mailing list, though technical details of the vulnerability remain under
wraps. According to Security Explorations CEO Adam Gowdiak however, the
flaw impacts Java Standard Edition versions 5, 6 and 7 and can be used
to break out of the Java sandbox.

"The issue is tricky to find," he said. "Same for the exploit code to
develop. It would be fair to say that both were of a moderate

The researchers say they confirmed the bug on the Firefox, Google
Chrome, Internet Explorer, Opera and Apple Safari browsers. Oracle has
confirmed the flawís existence and stated that it will be addressed in a
future Java critical patch update, according to Gowdiak

The prevalence of Java has made it a common target for hackers,
prompting some in the security community to call for organizations to
disable the technology if it is not needed. Exploits for Java bugs have
become staples of attack kits such as Black Hole and others. There is
little danger of that in this case, however, since the bug was disclosed
privately, said Marcus Carey, security researcher at Rapid7.

ďThere are tons of privately reported bugs for software, which makes it
a bit strange that this is generating the amount of buzz that it is," he
said. "Organizations and consumer should always treat Java and other
plug-ins as if there are zero-day exploits out there targeting them,
even when we donít know of any specific ones being used."

To reduce risk, he recommended that users only install plug-ins when
needed and disable or uninstall them if they are unnecessary.

" If you have to enable dynamic content that requires plug-ins, only do
so from trusted sites, as others could very well be compromised," he

"If there isnít a reasonable use case for someone to have Java
installed, then they can certainly consider removing it altogether,"
Satnam Narang, security response manager at Symantec, said in an
interview Aug. 30. "However, if there is a use case for having it
installed, itís simply best to ensure that it is patched and kept
up-to-date. If there is an exploit in the wild and no patch is currently
available, users should disable Java until a patch is made available."

Due to the number of people running Java, the potential impact of the
bug could affect a large number of desktops, Gowdiak said. The severity
of the issue is also critical because of the implications of a full Java
security sandbox bypass.

"What this means is that a malicious Java applet or application
exploiting the vulnerability could run unrestricted in the context of a
target Java process such as a web browser application," he explained.
"An attacker could then install programs, view, change, or delete data
with the privileges of a logged-on user. In our proof of concept code we
create a file and execute "notepad.exe" application on Windows."

Re: New Java Vulnerability Allows Sandbox Bypass

Virus Guy laid this down on his screen :
Quoted text here. Click to load it
How much?


Re: New Java Vulnerability Allows Sandbox Bypass

Quoted text here. Click to load it

It would be very stupid to hand you a piece of functional code. You're
so clueless as to be dangerous with it.

It's a java vulnerability. Not OS dependent.
Quoted text here. Click to load it

Which likely is easier on a win98 system, as you have no file
permissions nor user access rights of any kind to enforce or if you're
the malware, to have to get around.

I see no reason why this wouldn't work fine on your machine. It's not OS

There ain't no rest for the wicked. Money don't grow on trees. I got
bills to pay. I got mouths to feed. Ain't nothing in this world for
free. Oh No. I can't slow down, I can't hold back though you know I wish
I could. Oh no there ain't no rest for the wicked, until we close our
eyes for good.

Re: New Java Vulnerability Allows Sandbox Bypass

Dustin was thinking very hard :
Quoted text here. Click to load it

On at least two previous occasions when this sort of thing came up (his
soapbox I guess) I have been trying to get him to understand that
exploit code is separate from payload code. Just because a published
POC demonstration doesn't work on (payload wasn't written for) W98
doesn't mean that the vulnerability wasn't exploited.

He likes to use this to bolster his misconception about the security of
W98 being better than NT based versions. His proposal is to take an
exploit w/payload and having its payload fail to execute (because it
wasn't written for W98) as proof that W98 wasn't vulnerable to the
exploit. Now he has clearly demonstrated that he still misses the

Re: New Java Vulnerability Allows Sandbox Bypass

Dustin wrote:

Quoted text here. Click to load it

Since energy and information can not be destroyed, I think we become
part of a universal consciousness after death on Earth. Oprah Winfrey
has a quote I like, "We are all spirtiual beings having a human

Quoted text here. Click to load it

Nah, that's man-made crap. I prefer the term "intelligent design".  It's
compatible with science and sprituality.

Re: New Java Vulnerability Allows Sandbox Bypass

Virus Guy wrote:
Quoted text here. Click to load it

See also:

What's the deal?

It Orifice doing anything about this?

Site Timeline