Researchers claim yet another vulnerability exists in Java

Security researchers are claiming that all latest versions of Java are susceptible to a sandbox bypass, and have sent their code to Oracle as proof.
Written by Michael Lee, Contributor

Security researchers have claimed to have found yet another vulnerability in Java that can completely bypass the security sandbox implemented in several versions of the program.

Posting on the Full Disclosure mailing list, Security Explorations founder and CEO Adam Gowdiak said that the vulnerability his company had discovered affects all that latest versions of Oracle's Java SE software.

"The impact of this issue is critical — we were able to successfully exploit it, and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7," he wrote.

The exploit was tested and confirmed to be working on a fully-patched 32-bit Windows 7 system, under Firefox, Chrome, Internet Explorer, Opera and Safari.

The company has since provided Oracle with a technical description of the issue, as well binaries and source code to exploit the vulnerability and prove it exists.

"We hope that a news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not going spoil the taste of [Oracle CEO] Larry Ellison's morning java," Gowdiak joked.

Security Explorations only recently discovered a bug affecting the latest version of Java 7, even though Oracle issued an emergency patch for another set of vulnerabilities before that. As it has in this instance, it did not make any proof of concept code or binaries public, but did alert Oracle to the vulnerability.

Editorial standards