Researchers claim yet another vulnerability exists in Java

Summary:Security researchers are claiming that all latest versions of Java are susceptible to a sandbox bypass, and have sent their code to Oracle as proof.

Security researchers have claimed to have found yet another vulnerability in Java that can completely bypass the security sandbox implemented in several versions of the program.

Posting on the Full Disclosure mailing list, Security Explorations founder and CEO Adam Gowdiak said that the vulnerability his company had discovered affects all that latest versions of Oracle's Java SE software.

"The impact of this issue is critical — we were able to successfully exploit it, and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7," he wrote.

The exploit was tested and confirmed to be working on a fully-patched 32-bit Windows 7 system, under Firefox, Chrome, Internet Explorer, Opera and Safari.

The company has since provided Oracle with a technical description of the issue, as well binaries and source code to exploit the vulnerability and prove it exists.

"We hope that a news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not going spoil the taste of [Oracle CEO] Larry Ellison's morning java," Gowdiak joked.

Security Explorations only recently discovered a bug affecting the latest version of Java 7 , even though Oracle issued an emergency patch for another set of vulnerabilities before that . As it has in this instance, it did not make any proof of concept code or binaries public, but did alert Oracle to the vulnerability.

Topics: Security, Oracle


A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.