Security firm publishes details about Java issue, asks for second opinion

Making good on their promise, Security Exploration has published technical details about a Java issue that they consider to be a security vulnerability, but Oracle has categorized as demonstrating “allowed behavior”.

“As of Mar 18, 2013 no information was received from Oracle that would indicate that Issue 54 is treated by the company as a security vulnerability,” they wrote on Monday.

“Security Explorations believes that 3 weeks (from Feb 25 to Mar 18) constitutes enough time for a major software vendor to deliver a final confirmation or denial of a reported issue. This especially concerns a vendor that has been a subject of a considerable criticism regarding competent and prompt handling of security vulnerabilities in its software.”

The firm published a document containing details about the issue, and explanation about why they consider it a vulnerability, its impact, and Oracle’s response.

“Described Issue 54 is not sufficient to implement a functional and successful attack code in the environment of Java SE 7. Security Explorations discovered another issue (number 55) affecting Oracle’s Java SE 7 that allows to do this.Issues 54 and 55, when combined together can be used to successfully achieve a complete Java security sandbox bypass in a target system,” the firm explained, and said that they are hoping that other researchers will use the published information to conduct an independent evaluation of the issue and provide an opinion on whether it should be considered a security vulnerability or not.