Security Explorations researcher Adam Gowdiak has continued unearthing vulnerabilities in Java, this time making the claim that Oracle has not bothered to check against a "very classic attack" that he has found against the software.
In line with the company's responsible disclosure, Gowdiak has not released the details of the vulnerability, but did state that it is related to the new Reflection API that was introduced into Java SE 7, and that successful exploitation allows an attacker to reliably bypass Java's security sandbox.
"The attack itself has been in the public knowledge for at least 10+ years. It's one of those risks one should protect against in the first place, when new features are added to Java at the core VM level," Gowdiak wrote on the SecurityFocus Bugtraq mailing list.
Gowdiak claims that his company's proof-of-concept code works on the most recent version of Java SE 7, Update 25 and earlier, but the company has not yet released the code in order to give Oracle time to respond. However, while Gowdiak has afforded the company this professional courtesy, he questioned how seriously Oracle is taking security, given he believed that the flaw should have been picked up rather easily.
He argued that its security assurance procedures, if they existed, should have quickly identified the issue and eliminated it before Java SE 7 was released.
"This didn't happen, thus it is reasonable to assume that Oracle's security policies and procedures are either not worth much or their implementation is far from perfect."
But Oracle does have a significant number of resources behind specifically securing the software, according to the lead software developer for Java, Nandini Ramani. Earlier this year, he wrote on the company's Security Assurance Blog on the very issue, to reassure customers that the security worthiness of Java is one of the company's priorities.
He stated that Oracle has significantly accelerated the production of its security fixes, placed additional investment in responding to zero-day vulnerabilities, and, effective from October this year, will increase the number of scheduled security releases each year.