Critical JAVA Sandbox Bypass Vulnerability in Java 7 Update 25

Security Explorations – A polish company has found a critical Java vulnerability that bypass Java sandbox. Vulnerable versions are Java 7 and its previous ones.

What’s interesting about the attack is that it’s not new. Experts say the attack method has been known for over 10 years and it should have been mitigated with the Reflection API introduced in Java SE 7. It's one of those risks one should protect against in the first place when new features are added to Java at the core VM level. According to Softpedia.

The vulnerability, dubbed “issue 69,” can be exploited via a “very classic attack” for a complete Java sandbox bypass.  According to Adam Gowdiak, the CEO of Security Explorations.

The details and Proof of Concept of the vulnerability have been submitted to Oracle and Oracle fixed it in the June 2013 Java SE CPU, and POCs for nine IBM Java vulnerabilities addressed in early July 2013.

Previously, Security Explorations found and submitted flaws to Oracle and IBM, which have been fixed now.