Oracle released an emergency patch on Thursday for previously unknown Java vulnerabilities that cybercriminals had targeted with popular exploit kits within hours after the bugs' existence became public, security researchers found yet another vulnerability that can be exploited to run arbitrary code on systems that have the runtime installed.
Security researchers from Poland-based security firm Security Explorations claim to have discovered a vulnerability in the Java 7 security update released Thursday that can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system.
While so far the vulnerability has only been found being used against Windows, other platforms such as the Mac OS could potentially be targeted through the same exploit. Security Explorations sent a report about the vulnerability to Oracle on Friday together with a proof-of-concept exploit, Adam Gowdiak, the security company's founder and CEO said Friday via email.
The company doesn't plan to release any technical details about the vulnerability publicly until Oracle addresses it, Gowdiak said. According to Gowdiak, Security Explorations privately reported 29 vulnerabilities in Java 7 to Oracle back in April, including the two that are now actively exploited by attackers.
The new vulnerability discovered by Security Explorations in Java 7 Update 7 can be combined with some of the vulnerabilities left unpatched by Oracle to achieve a full JVM sandbox bypass again.
Security researchers have always warned that if vendors take too much time to address a reported vulnerability it might be discovered by the bad guys in the meantime, if they don't already know about it.