Java zero day

Prompted by Oracle Rejection, Researcher Finds Five New Java Sandbox Vulnerabilities

Giving a prolific bug hunter an excuse to go poking deeper into a potential security issue generally doesn’t end well or the vendor in question—in this case Oracle. Polish security firm Security Explorations, noteworthy for its Java security research, said today it reported five new vulnerabilities in Java SE 7 to Oracle. If combined, researcher Adam Gowdiak said, they can be used to gain a complete bypass of the Java sandbox.

Oracle’s emergency Java update this weekend for a zero-day sandbox bypass vulnerability hasn’t exactly kicked off a love-fest for the company among security experts. Researchers are still cautious about recommending users re-enable the ubiquitous software, despite the availability of the fix for the latest zero-day to target the platform. 

The exploit targeting the latest zero-day vulnerability in the Java platform is dropping ransomware, and has been found in another exploit kit. Security experts, including U.S.-CERT last night, advise users and IT managers to disable Java on endpoints and browsers. Meanwhile, Polish security researcher Adam Gowdiak of Security Explorations, said the attacks target a pair of vulnerabilities, one of which was reported to Oracle in September and patched, apparently incompletely, in October.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.