Oracle reportedly knew of critical Java bugs under attack for 4 months

Oracle engineers were briefed on critical vulnerabilities in the Java software framework more than four months before the flaws were exploited in malware attacks that take complete control of end-user computers, according to a published report.

Poland-based Security Explorations privately alerted Oracle to the bugs on April 2, IDG News reported on Wednesday. On Sunday, again—four months later, separate security researchers at FireEye reported targeted malware attacks that used the Oracle software to install the Poison Ivy backdoor trojan. The exploits were added to the popular BlackHole exploit kit on Monday evening, and have since snowballed. It can be found on more than a dozen separate websites, FireEye researcher Atif Mushtaq wrote in an update on Wednesday.

According to IDG News, two of the 19 vulnerabilities Security Explorations reported in April are those now under attack. By combining them, hackers are able to completely bypass security protections built into Java that are supposed to isolate Java applications from sensitive operating system functions. Neither of those were fixed during the most recent critical patch update for Java in June, although it did address three other issues the Polish firm reported. Oracle's next regular update isn't scheduled until the mid-October. The flawed Java components violate many of Oracle's own Secure Coding Guidelines for the Java Programming Language, Security Explorations said.

In an exploit analysis published on Tuesday, Immunity Inc. researcher Esteban Guillardoy wrote, "The first bug was used to get a reference to sun.awt.SunToolkit class that is restricted to applets while the second bug invokes the getField public static method on SunToolkit using reflection with a trusted immediate caller bypassing a security check. The beauty of this bug class is that it provides 100 percent reliability and is multiplatform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353)."

It's not uncommon for a single malware attack to stitch together multiple vulnerabilities for maximum effect. The Stuxnet worm, for example, targeted five separate zero-day flaws in Microsoft's Windows operating system. A recent hack that took full control of Google's Chrome browser exploited six bugs.

Security Explorations' April advisory said the firm provided proof-of-concept exploits for all the vulnerabilities reported to Oracle, although CEO Adam Gowdiak said the code submitted combined the bugs differently from those exploited in the wild to bypass Java's security sandbox.

Oracle hasn't commented on the vulnerabilities since the attacks became public. Company representatives didn't respond to e-mail messages seeking comment for this post.