A 0-day flaw exploited in the wild has been reported to affect Java 7: http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html http://pastie.org/4594319 This issue was confirmed to allow unsigned applet to bypass Java applet restrictions and run arbitrary code on users' systems.
Code execution was confirmed with the latest Oracle and IBM Java 7 web browser plugin. IcedTea-Web using OpenJDK7 blocks this exploit by not allowing applet to change the SecurityManager (which is allowed in Oracle and IBM Java plugin). Java 6 is currently not known to be affected.
Secunia: http://secunia.com/advisories/50133/
All the info in this bug is now public, see e.g: http://www.h-online.com/security/news/item/Warning-on-critical-Java-hole-1676219.html http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day https://github.com/rapid7/metasploit-framework/commit/52ca1083c22de7022baf7dca8a1756909f803341
This flaw allows an attacker to circumvent all restrictions applied by the Java security manager. The Java security manager is used to sandbox Java applets in web browsers, but is also used in a variety of other applications. For example, Tomcat can optionally use the Java security manager to apply restrictions to deployed applications. This flaw affects these uses of the Java security manager, not just browser plugins for viewing Java applets.
This statement was last updated on Sep 19, 2012. Statement: This flaw allowed an attacker to circumvent all restrictions applied by the Java security manager. The Java security manager is used to sandbox Java applets in web browsers, but is also used in a variety of other applications. Red Hat has tested the flaw and confirmed that it affected Java SE 7 provided by OpenJDK 7 (java-1.7.0-openjdk), Oracle Java SE 7 (java-1.7.0-oracle) and IBM Java SE 7 (java-1.7.0-ibm) as shipped with Red Hat Enterprise Linux 6. Updates correcting this issue were released for all affected packages.
Details of the flaw from Michael Schierl: http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html
(In reply to comment #1) > IcedTea-Web using OpenJDK7 blocks this exploit by not allowing applet to > change the SecurityManager (which is allowed in Oracle and IBM Java plugin). Other attacks that do not try to change SecurityManager may be used against IcedTea-Web using OpenJDK7. Note that IcedTea-Web browser plugin as shipped with Red Hat Enterprise Linux 6 currently only used OpenJDK6.
Mozilla bug requesting blocking affected Java plugin versions: https://bugzilla.mozilla.org/show_bug.cgi?id=785837
This issue has now hit the mainstream media: http://in.reuters.com/article/2012/08/27/us-cybersecurity-java-idINBRE87Q18820120827 http://www.forbes.com/sites/andygreenberg/2012/08/27/disable-java-in-your-browser-to-avoid-a-nasty-new-malware-spreading-attack/ http://www.ctvnews.ca/sci-tech/computer-security-experts-warn-about-java-vulnerability-1.933119 http://articles.chicagotribune.com/2012-08-27/business/sns-rt-us-cybersecurity-javabre87q188-20120827_1_latest-java-security-firms-hackers http://timesofindia.indiatimes.com/tech/personal-tech/computing/Latest-Java-software-exposes-PCs-to-hackers-Experts/articleshow/15882752.cms
Another reference with relevant technical details: http://www.alertlogic.com/java-7-classfinder-restricted-package-bypass/
I posted a quick analysis and possible fix upstream: http://thread.gmane.org/gmane.comp.java.openjdk.beans.devel/34 http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020065.html
Created java-1.7.0-openjdk tracking bugs for this issue Affects: fedora-16 [bug 852957] Affects: fedora-17 [bug 852958]
Patches mentioned in comment #17 were released as part of IcedTea 2.3.1: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020083.html http://blog.fuseyism.com/index.php/2012/08/30/security-icedtea-2-3-1-released/
According to the following post, issues used by this exploit were reported to upstream in April: http://seclists.org/fulldisclosure/2012/Aug/336
Another reference with relevant technical details: http://www.h-online.com/security/features/The-new-Java-0day-examined-1677789.html
Oracle has released Java 7 Updated 7 to address this issue: http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html https://blogs.oracle.com/security/entry/security_alert_for_cve_20121 http://www.oracle.com/technetwork/java/javase/7u7-relnotes-1835816.html External Reference: http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
IcedTea-Web using OpenJDK7 blocks this exploit by not allowing applet to change the SecurityManager (which is allowed in Oracle and IBM Java plugin). However it should be noted that: "But there are other ways to abuse this bug to circumvent security restrictions in a more subtle way, so patching is still very recommended." http://gnu.wildebeest.org/blog/mjw/2012/08/30/java-bug-cve-2012-4681/
Upstream commit, as applied to IcedTea 7 2.3 repositories: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/8a226f6a768a This replaces previous patch mentioned in comment #17. The two patches are identical except of the formatting.
OpenJDK7 repositories commit: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/2c58f14f60c7
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1223 https://rhn.redhat.com/errata/RHSA-2012-1223.html
Fixed in IcedTea versions: 1.10.9, 1.11.4, 2.1.2, 2.2.2 and 2.3.1 http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020083.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020127.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020144.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-September/020151.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2012:1225 https://rhn.redhat.com/errata/RHSA-2012-1225.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2012:1289 https://rhn.redhat.com/errata/RHSA-2012-1289.html
This flaw affects users of JBoss middleware products who are using Java 7 and relying on the Java security manager to control the privileges of untrusted deployed applications. A malicious deployed application could use this flaw to circumvent the controls applied by the Java security manager. Affected JBoss middleware users are advised to use a patched implementation of Java 7. JBoss middleware users who are not using Java 7 or are not relying on the Java security manager are not affected by this flaw.