Adam Gowdiak, who has made a name for himself by finding flaws in Java, has reported a new vulnerability. Security issue 61, according to Gowdiak’s tally, affects current versions of Java SE 7, including the very latest release version 1.7.0_21-b11.
The hole is once again present in the Reflection API and allows attackers to completely bypass the language’s sandbox to access the underlying system. Gowdiak has not published any further details about the vulnerability in order to give Oracle time to patch the problem. This means that there are now three vulnerabilities discovered by Gowdiak that still require fixes: problems 54, 56 and 61 as numbered by him.
For an attack that exploits this vulnerability to be successful, users will have to acknowledge Java’s now obligatory security warning that an applet is being executed on a web site. This makes fully automatic drive-by attacks currently infeasible. Interestingly, the server version of JRE 7 is also vulnerable, according to the researcher. However, Gowdiak addresses the question of how the attack code can be introduced in the Java VM on the server only by pointing at Oracle’s guidelines on how to protect against code injection in Java.