Oracle's emergency Java patch brings sandbox bypass

Summary:Users that quickly patched against the recent Java zero-day may have just opened themselves up to yet another vulnerability.

Oracle's latest patch to close up several vulnerabilities that were being actively exploited in the wild may not have been enough, with researchers now claiming that even the latest patch (Version 7 Update 7) contains yet another vulnerability.

Researchers at Security Explorations have been scrutinising Java as part of a research project, and were able to confirm on the Bugtraq mailing list on Friday afternoon that the previous vulnerabilities discovered had been closed by the latest patch. The company also claimed that it disclosed these vulnerabilities to Oracle in April 2012.

However, the latest patch (update 7) may have another vulnerability that allows an attacker to escape the Java Virtual Machine sandbox in a different manner to the previous exploit.

According to Security Explorations, it has sent Oracle proof of concept code, which demonstrates the vulnerability in the latest patch, and it is awaiting confirmation. The research firm has not released any code into the public, stating that it will write up a technical paper on the issue, though only once Oracle has made a patch available.

Topics: Security, Malware, Oracle

About

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.