Oracle released a security alert yesterday in response to the recently discovered zero-day vulnerabilities that affected Java. Security Explorations were the first to discover the exploit back in April, but Oracle wasn’t going to fix it until their hand was forced by hackers. Their hand may be forced yet again by the company that found the last exploit.
Security Explorations says that they have found a new vulnerability in the latest version of Java that was released yesterday. If discovered, the vulnerability would allow hackers to escape the Java sandbox and run code on the underlying system. It sounds pretty bad, but there’s no reason to worry yet.
In an email to CSO, Security Explorations CEO Adam Gowdiak said that Oracle’s patch was effective in stopping the previously used attacks that were infecting computers. The patch from yesterday only took care of the immediate threat however. Security Explorations submitted 29 vulnerabilities in April and only the most pressing issues have been fixed so far.
The concern comes in the form of a new vulnerability that was just recently discovered. Gowdiak says that hackers could combine the new exploit with other unpatched exploits to “achieve a full JVM sandbox bypass.” It’s certainly a cause for concern, but Security Explorations has already submitted a report to Oracle.
For now, it’s safe to use Jave if you have the latest patch installed. There’s no indication that hackers are using new Java exploits to break into your system. If everything goes according to plan, hackers won’t have access to any such exploits until they have been patched by Oracle.