Two-year-old Java flaw re-emerges due to broken patch

A patch released by Oracle in 2013 can be easily bypassed to attack the latest Java versions, security researchers said

A patch for a critical Java flaw released by Oracle in 2013 is ineffective and can be easily bypassed, security researchers warn. This makes the vulnerability exploitable again, paving the way for attacks against PCs and servers running the latest versions of Java.

The flaw, tracked as CVE-2013-5838 in the Common Vulnerabilities and Exposures (CVE) database, was rated by Oracle 9.3 out of 10 using the Common Vulnerability Scoring System (CVSS). It can be exploited remotely, without authentication, to completely compromise a system's confidentiality, integrity and availability.

According to researchers from Polish security firm Security Explorations who originally reported the flaw to Oracle, attackers can exploit it to escape from the Java security sandbox. Under normal conditions, the Java Runtime Environment (JRE) executes Java code inside a virtual machine that is subject to security restrictions.

On Thursday, Security Explorations revealed that the Oracle patch for the vulnerability is broken. The fix can be trivially bypassed by making a four-character change to the proof-of-concept exploit code released in 2013, Security Explorations CEO Adam Gowdiak wrote in a message sent to the Full Disclosure security mailing list.

Gowdiak's company published a new technical report that explains how the bypass works in more detail.

The company's researchers claim that their new exploit was successfully tested on the latest available versions of Java: Java SE 7 Update 97, Java SE 8 Update 74 and Java SE 9 Early Access Build 108.

In its original advisory in October 2013, Oracle noted that CVE-2013-5838 only affects client deployments of Java and can be exploited through "sandboxed Java Web Start applications and sandboxed Java applets." According to Security Explorations, this is incorrect.

"We verified that it could be successfully exploited in a server environment as well as in Google App Engine for Java," Gowdiak said in the Full Disclosure message.

On the client side, Java's default security level -- which allows only signed Java applets to run -- and its click-to-play behavior can act as mitigating factors. These security restrictions can prevent automated silent attacks.

In order to exploit the vulnerability on an up-to-date Java installation, attackers would need to find a separate flaw that allows them to bypass the security prompts or to convince users to approve the execution of their malicious applet. The latter route is more likely.

Security Explorations has not notified Oracle about the CVE-2013-5838 bypass before disclosing it. According to Gowdiak the company's new policy is to inform the public immediately when broken fixes are found for vulnerabilities that the company has already reported to vendors.

"We do not tolerate broken fixes any more," he said.

It's not clear whether Oracle will push out an emergency Java update just to patch this vulnerability, or if it will wait until the next quarterly Critical Patch Update, which is scheduled for April 19.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?