Oracle's emergency Java patch brings sandbox bypass

Users that quickly patched against the recent Java zero-day may have just opened themselves up to yet another vulnerability.
Written by Michael Lee, Contributor

Oracle's latest patch to close up several vulnerabilities that were being actively exploited in the wild may not have been enough, with researchers now claiming that even the latest patch (Version 7 Update 7) contains yet another vulnerability.

Researchers at Security Explorations have been scrutinising Java as part of a research project, and were able to confirm on the Bugtraq mailing list on Friday afternoon that the previous vulnerabilities discovered had been closed by the latest patch. The company also claimed that it disclosed these vulnerabilities to Oracle in April 2012.

However, the latest patch (update 7) may have another vulnerability that allows an attacker to escape the Java Virtual Machine sandbox in a different manner to the previous exploit.

According to Security Explorations, it has sent Oracle proof of concept code, which demonstrates the vulnerability in the latest patch, and it is awaiting confirmation. The research firm has not released any code into the public, stating that it will write up a technical paper on the issue, though only once Oracle has made a patch available.

Editorial standards