According To Researchers Java Security Is Still Vulnerable
Polish security firm Security Explorations researchers are claiming that Java users are vulnerable to attacks due to the faculty security patch.
In 2013 when the CVE-2013-5838 was discovered by the same company and reported to Oracle, at that there was an exploit named as the sandbox for Java applets and Java web start applications.
Sandbox exploit rated with a severity score of 9.3/10, which is considered as a critical one. In October 2013, in order to address the problem, Oracle pushed out Java SE 7 Update 40.
After two years, a same security researcher discovered that Oracle botched the fix and it also misclassified its impact.
Adam Gowdiak, Security Explorations researcher says that
"The issue can also be exploited in server environments and even in Google App Engine installations and along with that they also said that changing four characters in the company's original proof-of-concept code allowed them to exploit the flaw, despite Oracle's patch."
In the newer version of Java, the sandbox exploit is working like Java SE 9 Early Access Build 108, Java SE 8 Update 74 and Java SE 7 Update 97. The updated technical papers have provided by the hackers that contain how flaw can be exploited.
According to the Gowdiak, "the information regarding this issue doesn't pass to the Oracle because they already know in 2013, and they had their chance to get it right from the get-go. "
The attack was only to provides an escape from Java's sandbox mode, a virtual machine-like environment.
You have to evade Java's Click2Play functionality in order to exploit attackers. Java's Click2Play functionality is an automated security defense system that prevents Java applets from automatically executing inside a browser or a desktop environment.
Now attackers have to chain different exploits so that they can easily take advantage of this improperly patched issue.