A Polish security firm 'Security Explorations' reported two new Java zero-day vulnerabilities, as "issue 54" and "issue 55," with proof of concept code to Oracle.
Oracle's security team is currently investigating the issue, but the status flaws not yet confirmed by Oracle. Less than a week after Oracle released its latest Java critical patch update, Researcher and Security Explorations's CEO Adam Gowdiak have found two previously unknown security issues affecting Java 7.
Security experts generally advise users to disable the Java browser plugin, which was exploited in recent targeted attacks on developers at Facebook, Apple and Microsoft.
Java has faced an increasing number of zero-day vulnerabilities, bugs that are exploited by criminals before those flaws are patched, or even known by the vendor.
Gowdiak confirmed that these newest vulnerabilities can be combined to circumvent Java's anti-exploit sandbox technology and used to attack machines whose browsers have the Java plug-in installed.