Security researchers from Poland-based security firm Security Explorations claim to have discovered a vulnerability in the Java 7 security update released Thursday that can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system.
Security Explorations sent a report about the vulnerability to Oracle on Friday together with a proof-of-concept exploit, Adam Gowdiak, the security company's founder and CEO said Friday via email.
[ Also on InfoWorld: Security pros advise users to ditch Java. | InfoWorld's expert contributors show you how to secure your Web browsers in the "Web Browser Security Deep Dive" PDF guide. Download it today! | Stay up to date on the latest security developments with InfoWorld's Security Adviser blog and Security Central newsletter. ]
The company doesn't plan to release any technical details about the vulnerability publicly until Oracle addresses it, Gowdiak said.
Oracle broke out of its regular four-month patching cycle on Thursday to release Java 7 Update 7, an emergency security update that addressed three vulnerabilities, including two that were being exploited by attackers to infect computers with malware since last week.
Java 7 Update 7 also patched a "security-in-depth issue" which, according to Oracle, was not directly exploitable, but could have been used to aggravate the impact of other vulnerabilities.
The patching of that "security-in-depth issue," which Gowdiak calls an "exploitation vector," rendered all of the proof-of-concept (PoC) Java Virtual Machine (JVM) security bypass exploits previously submitted by the Polish security firm to Oracle, ineffective.
According to Gowdiak, Security Explorations privately reported 29 vulnerabilities in Java 7 to Oracle back in April, including the two that are now actively exploited by attackers.
The reports were accompanied by a total of 16 proof-of-concept exploits that combined those vulnerabilities to fully bypass the Java sandbox and execute arbitrary code on the underlying system.
The removal of the getField and getMethod methods from the implementation of the sun.awt.SunToolkit class in Java 7 Update 7 disabled all of Security Explorations' PoC exploits, Gowdiak said.
However, this only happened because the "exploitation vector" was removed, not because all vulnerabilities targeted by the exploits were patched, Gowdiak said.
The new vulnerability discovered by Security Explorations in Java 7 Update 7 can be combined with some of the vulnerabilities left unpatched by Oracle to achieve a full JVM sandbox bypass again.