Today, Jan. 19, 2013, Lucian Constantin has reported for PC World, Oracle's Java patch contains new holes, researchers warn. Researchers from Security Explorations, which is a Poland-based vulnerability research firm, claim they have found two new vulnerabilities in Java 7 Update 11 which can be exploited to bypass the software's security sandbox and which can execute arbitrary code on computers. Java 7 Update 11 was released by Oracle last Sunday as an emergency security update in order to block a zero-day exploit used by cybercriminals in order to infect computers with malware.
Adam Gowdiak, the company's founder, said Friday in a message sent to the Full Disclosure mailing list, Security Explorations has successfully confirmed that a complete Java security sandbox bypass can be still be achieved under Java 7 Update 11 (JRE version 1.7.0_11-b21) by exploiting two new vulnerabilities which were discovered by the company's researchers. He said that these vulnerabilities were reported to Oracle on Friday, along with working proof-of-concept exploit code. As covered in Security Explorations' disclosure policy, the technical details about the vulnerabilities will not be publicly disclosed until a patch is issued by the vendor.
The H Open has also reported on this story, Oracle's Java patch leaves a loophole. Just last weekend, Oracle released an emergency patch for the 0day hole in Java, and now the security researcher has already found the next loophole. Gowdiak has revealed that the flawed MBeanInstantiator method inspired him to search for further holes. Users should therefore be very careful and should only install Java updates from reliable sources.