Researcher uncovers yet another Java hole
The Polish security researcher Adam Gowdiak has found another vulnerability in Java that could allow an attacker to bypass the sandbox. He gave details of the discovery in a posting to the Full Disclosure mailing list. Using the hole, Gowdiak has been able to create a Java applet which, when running in the browser, can run with the user's privileges and then place malicious code on the system and execute it.
Gowdiak had previously disclosed a similar vulnerability in the most recent version of Java, Java 7 Update 7. The new vulnerability is, though, able to be exploited on Java 5 and Java 6. The researcher has already confidentially sent information about the hole to Java maker Oracle, along with proof-of-concept code.
So far there are no reports that the vulnerability is being exploited for attacks. Oracle has not said whether or when it will close the vulnerability. A previous issue reported by Gowdiak in April 2012 was not fixed until late August after attacks using the vulnerability had begun in earnest.