Researchers from Security-Explorations.com have today notified Oracle of another serious security issue with Java 7. Two vulnerabilities, dubbed “issue 54” and “issue 55” can be combined in order to completely bypass Java’s security sandbox. It seems Java SE 7 Update 15 and all earlier versions are affected by this issue.
As you can see from the quote below Oracle have confirmed receipt of the vulnerability details and proof of concept code but there is no news on if/when they will be fixed. Orale say that “issue 51” is currently being worked on even though this one was reported back in January.
– Vulnerability Notice along with a Proof of Concept code are sent to Oracle corporation (Issues 54 and 55).
– Oracle confirms successful reception and decryption of the vulnerability report. The company informs that it will investigate based on the data provided and get back to us soon.
– Oracle provides a monthly status report for the reported issues. The company informs that Issue 51 is under investigation / being fixed in main codeline. The report does not mention Issues 54 and 55 yet.
– Oracle provides tracking numbers for Issues 54 and 55.”
With all the high profile breaches lately, i.e. Microsoft, Apple and Facebook, it is advisable as ever to disable Java in the browser unless specifically required. Recent versions of Java allow the user to disable it in the browser via a switch in the Java Control Panel (instructions for doing just that from Oracle).
photo: Tama Leaver