A security researcher known for finding Java bugs has uncovered a new critical zero-day vulnerability in all currently-supported versions of the popular Oracle software.
The bug, which was publicly reported on the Full Disclosure security mailing list Tuesday by Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations, can be leveraged to hijack a machine equipped with Java, letting attackers install malware on the system.
Windows PCs and Macs are equally at risk if their users have installed Java, or in the case of OS X, are running 10.6, aka Snow Leopard, or earlier. Snow Leopard was the last edition where Apple bundled Java with the operating system.
All currently-support versions of Java, including Java 5, Java 6 and Java 7, contain the bug.
Gowdiak has found other Java vulnerabilities in the past: Earlier this year he reported more than a dozen to Oracle. Months later, hackers independently uncovered one of the bugs, then began using it in widespread attacks during August.
On Aug. 30 Oracle shipped one of its rare emergency, or "out-of-band," security updates to patch the exploited Java bug.
The vulnerability Gowdiak revealed Tuesday was both potentially more serious than the already-exploited flaw and less of a risk to users at the moment.
"The potential impact is bigger when it comes to the number of Java desktops," said Gowdiak in an email reply to questions. "The vulnerability affects up-to-date installs of Java 5, 6 and 7. We even tested the developer preview of Java 7 Update 10, a build from Sept. 20, 2012, [and] verified it was also vulnerable."
The Java zero-days exploited by cyber criminals last month were in Java 7 only -- the newest edition -- and because of that, Gowdiak and other experts recommended users downgrade to Java 6, which was safe.
Not the case now, as all editions of Java harbor the flaw.
Gowdiak, using installed-base statistics cited by Oracle, argued that approximately 1 billion computer users are at risk because of the unpatched vulnerability.
On the other hand, there is much less urgency with this vulnerability than the one exploited last month for the simply fact that there's no evidence it's in the hands of hackers. "We are not aware of any active attacks that would exploit this vulnerability," Gowdiak said.
While Gowdiak said that he found the new Java bug last week -- and took the weekend to create and test a proof-of-concept exploit -- he only reported it to Oracle on Tuesday. In a follow-up email to Computerworld, Gowdiak said, "We just received confirmation of the issue from Oracle."
The company also told him that the bug will be patched in a future Java security update, but that it did not name which. The next on Oracle's quarterly schedule will ship Oct. 16.
That was one of several reasons Gowdiak used to explain why he went public with the bug -- albeit sans technical details -- rather than privately reporting it to Oracle and waiting for the company to quietly patch Java. "There are still three weeks until the scheduled Java October Critical Patch Update [CPU], so it might be possible that Oracle manages to address the bug [on Oct. 16]," he said.
Gowdiak also said it was "simply our obligation to provide users with a proper warning," especially in light of recommendations last month to shift from Java 7 to the then-safe Java 6.
The fact that Java 6 is vulnerable will be of special interest to anyone using a Mac that runs OS X 10.6 (Snow Leopard) or OS X 10.5 (Leopard). Although Apple stopped bundling Java with OS X starting in 2011, 2009's Snow Leopard and 2007's Leopard included the software. If hackers have found -- or do find -- Gowdiak's vulnerability on their own, and exploit it before Oracle patches, Snow Leopard and Leopard users will be at risk, just like those running Lion or Mountain Lion.
The publicity of the newest Java zero-day -- several media outlets reported it yesterday -- will, of course, put some pressure on Oracle to act quickly, a reason often cited by security researchers who broadcast the existence of a flaw before a patch is available.
Gowdiak had an answer for that, too.
"We [make] public announcements, so that users are aware that there are some risks associated with given software or a technology, and can plan their actions accordingly," he said. He also declined to share more information about the nature of the vulnerability than the vague description in the Full Disclosure message.
Gowdiak confirmed that his proof-of-concept exploit worked against the Java plug-in used by the current versions of Chrome, Firefox, Internet Explorer 9, Opera and Safari on Windows 7.
As virtually every security professional has done when a Java vulnerability or exploit surfaces, Gowdiak yesterday urged users to disable the plug-in in their browsers until Oracle issues a patch.
Security Explorations keeps an up-to-date account of the vulnerabilities it reports to vendors, and their reactions, if any, on its website.
Instructions for disabling Java in the major browsers can be found on the US-CERT (United States Computer Emergency Readiness Team) website.