Security firm publishes details about Java issue, asks for second opinion
Posted on 19 March 2013.
Making good on their promise, Security Exploration has published technical details about a Java issue that they consider to be a security vulnerability, but Oracle has categorized as demonstrating "allowed behavior".

"As of Mar 18, 2013 no information was received from Oracle that would indicate that Issue 54 is treated by the company as a security vulnerability," they wrote on Monday.

"Security Explorations believes that 3 weeks (from Feb 25 to Mar 18) constitutes enough time for a major software vendor to deliver a final confirmation or denial of a reported issue. This especially concerns a vendor that has been a subject of a considerable criticism regarding competent and prompt handling of security vulnerabilities in its software."

The firm published a document containing details about the issue, and explanation about why they consider it a vulnerability, its impact, and Oracle's response.

"Described Issue 54 is not sufficient to implement a functional and successful attack code in the environment of Java SE 7. Security Explorations discovered another issue (number 55) affecting Oracle’s Java SE 7 that allows to do this.Issues 54 and 55, when combined together can be used to successfully achieve a complete Java security sandbox bypass in a target system," the firm explained, and said that they are hoping that other researchers will use the published information to conduct an independent evaluation of the issue and provide an opinion on whether it should be considered a security vulnerability or not.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th