Researchers claim yet another vulnerability exists in Java

Researchers claim yet another vulnerability exists in Java

Summary: Security researchers are claiming that all latest versions of Java are susceptible to a sandbox bypass, and have sent their code to Oracle as proof.

TOPICS: Security, Oracle

Security researchers have claimed to have found yet another vulnerability in Java that can completely bypass the security sandbox implemented in several versions of the program.

Posting on the Full Disclosure mailing list, Security Explorations founder and CEO Adam Gowdiak said that the vulnerability his company had discovered affects all that latest versions of Oracle's Java SE software.

"The impact of this issue is critical — we were able to successfully exploit it, and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7," he wrote.

The exploit was tested and confirmed to be working on a fully-patched 32-bit Windows 7 system, under Firefox, Chrome, Internet Explorer, Opera and Safari.

The company has since provided Oracle with a technical description of the issue, as well binaries and source code to exploit the vulnerability and prove it exists.

"We hope that a news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not going spoil the taste of [Oracle CEO] Larry Ellison's morning java," Gowdiak joked.

Security Explorations only recently discovered a bug affecting the latest version of Java 7, even though Oracle issued an emergency patch for another set of vulnerabilities before that. As it has in this instance, it did not make any proof of concept code or binaries public, but did alert Oracle to the vulnerability.

Topics: Security, Oracle

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • No can't be another hole in the sandbox

    Not the vaunted java sandbox that contains all malware. Seriously they should rename it the sandsieve.
    Johnny Vegas
  • Java the gift that just keeps giving

    here is the exploit in action as long as java is on it works windows 8 here with fully patched system
  • Uninstalled it.........

    I've given up on Java and Flash as well uninstalled them I can live without them fed up.