Researchers from Security Explorations have identified a couple of vulnerabilities that affect the latest version of Java. The security holes can be exploited to achieve a complete sandbox bypass in Java 7 Update 11.Experts say that they’ve been inspired by the vulnerability related to obtaining references to restricted classes – better known as the MBeanInstantiator bug – which still hasn’t been addressed by Oracle.
However, the latest security holes they’ve uncovered (dubbed “issue 51” and “issue 52”) are not related to it.
Adam Gowdiak, CEO of Security Explorations, has told me in an email that both vulnerabilities are required for a successful attack.
It’s almost impossible to say if these vulnerabilities are the same as the ones used in the zero-day exploit advertised on a hacking forum earlier this week. However, it goes to show that experts are right to advise users to disable Java if it’s not needed.
In the meantime, Security Explorations has released more details about the vulnerability dubbed “issue 32,” which Oracle fixed a few days ago to address the Java 7 Update 10 exploit. The additional details come in response to a paper released by Immunity Inc.