Adam Gowdiak, the CEO of Security Explorations – the company that discovered the recent Java vulnerabilities -, told Softpedia that Oracle confirmed the existence of the second flaw, reported on August 31, 2012.“Oracle confirmed the security issue reported to them on Aug 31, the one that affects the out-of-band patch released on Aug 30. This is visible at our vendor status page,” Gowdiak wrote in an email.
The second bug reported to Oracle was identified right after the company released an out-of-band patch for Java 7. Although it was unusual for them to make available such fixes, the move was necessary considering the fact that the vulnerability was exploited in the wild.
“The out-of-band patch released by Oracle yesterday, among other things fixed the exploitation vector with the use of SunToolkit class, the one we used in our proof of concept codes. This made many of them not working...Till today,” Gowdiak told us on August 31.
“When combined with some of the Apr 2012 issues, the new issue (number 32) reported to Oracle today allows to achieve a complete JVM sandbox bypass in the environment of latest Java SE 7 Update 7 (version that was released on Aug 30, 2012),” he added.
He warned that the newly discovered bug meant that users were still at risk.
Oracle has confirmed that these newly discovered issues will be addressed in the upcoming CPU (the one that will be launched in October).
In the meantime, users are advised to disable their Java Runtime Environment browser plugins, or remove the component altogether if it’s not needed for everyday tasks.
Alternatively, internauts can keep Java installed only in one of their browsers - the one they utilize for work-related operations -, ensuring that the one used for surfing the Web hasn’t got the software activated.