ID: IRCNE2013011739
Date: 2013-01-18
According to "computerworld", researchers from Security Explorations, a Poland-based vulnerability research firm, claim to have found two new vulnerabilities in Java 7 Update 11 that can be exploited to bypass the software's security sandbox and execute arbitrary code on computers.
Oracle released Java 7 Update 11 last Sunday as an emergency security update in order to block a zero-day exploit used by cybercriminals to infect computers with malware.
Security Explorations successfully confirmed that a complete Java security sandbox bypass can be still be achieved under Java 7 Update 11 (JRE version 1.7.0_11-b21) by exploiting two new vulnerabilities discovered by the company's researchers, Adam Gowdiak, the company's founder, said Friday in a message sent to the Full Disclosure mailing list. The vulnerabilities were reported to Oracle on Friday, together with working proof-of-concept exploit code, he said.
According to Security Explorations' disclosure policy, technical details about the vulnerabilities will not be publicly disclosed until the vendor issues a patch.
Some security researchers, including those from the U.S. Computer Emergency Readiness Team (US-CERT), continued to advise users to disable the Java browser plug-in despite the release of Java 7 Update 11, citing concerns that similar attacks might occur in the future.
Related Link:
New malware exploiting Java 7 in Windows and Unix systems
US-CERT: Disable Java in browsers because of exploit
Java security fix coming shortly
Oracle pushes out Java patches as zero-day vulnerabilities exposed
Homeland Security still advises disabling Java, even after update
- 2