Security firm publishes details about Java issue, asks for second opinion
Posted on 19 March 2013.
Making good on their promise, Security Exploration has published technical details about a Java issue that they consider to be a security vulnerability, but Oracle has categorized as demonstrating "allowed behavior".

"As of Mar 18, 2013 no information was received from Oracle that would indicate that Issue 54 is treated by the company as a security vulnerability," they wrote on Monday.

"Security Explorations believes that 3 weeks (from Feb 25 to Mar 18) constitutes enough time for a major software vendor to deliver a final confirmation or denial of a reported issue. This especially concerns a vendor that has been a subject of a considerable criticism regarding competent and prompt handling of security vulnerabilities in its software."

The firm published a document containing details about the issue, and explanation about why they consider it a vulnerability, its impact, and Oracle's response.

"Described Issue 54 is not sufficient to implement a functional and successful attack code in the environment of Java SE 7. Security Explorations discovered another issue (number 55) affecting Oracle’s Java SE 7 that allows to do this.Issues 54 and 55, when combined together can be used to successfully achieve a complete Java security sandbox bypass in a target system," the firm explained, and said that they are hoping that other researchers will use the published information to conduct an independent evaluation of the issue and provide an opinion on whether it should be considered a security vulnerability or not.


The Internet of Things is unavoidable, securing it should be a priority

The Internet of Things (IoT) started like any other buzzword: poorly defined, used too often, and generally misunderstood. However, it stood the test of time and is now increasingly becoming part of everyday language, even with those outside the IT world.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Jul 27th