|reply to chachazz |
Re: Warning: 0-Day vulnerability in Java 7
Part II Java 7 0-Day vulnerability analysis
Considering that Rapid 7 posted a working exploit and addition to the exploit packs is imminent (Attackers Pounce on Zero-Day Java Exploit by Brian Krebs), plus other analysis articles are being published such as New Java 0day exploited in the wild -by Alienvault, we decided that witholding details of the exploit will not offer additional protection but only hinder development of protection and signatures.
As we mentioned earlier, we contacted Michael Schierl,, the Java expert who discovered a number of Java vulnerabilities and asked him to have a look. He sent back his detailed analysis, exploit source, the interim patch with the source code of the patched class.
... info for requesting the patch ...
~ The real vulnerability seems to be inside the new Java7 class com.sun.beans.finder.ClassFinder which seems to make it possible for untrusted code to get access to classes in restricted packages (i. e. packages that are part of the security implementation itself and where usually untrusted code cannot get either access or call it).
~This method of abusing restricted package permissions is new to me (it does not work in Java 6 either as GetField was private there); but it is not unique - there are several ways you can use to get out of the sandbox if you have access to restricted packages - usually they need abit more code though.
The Analysis - »www.deependresearch.org/2012/08/···sis.html--
Gladiator Security Forum: www.gladiator-antivirus.com/