Polish researchers from IT firm Security Explorations claim to have found a flaw in the security update rushed out last week to fix Oracle's Java 7 vulnerability.
The flaw in the update could be exploited to escape the Java sandbox and run arbitrary code on the operating system, the researchers have claimed.
Oracle released the patch last Thursday, and the following day the Security Explorations team alerted the software giant to the flaw.
The Polish researcher has not disclosed specific details on how the flaw would work as a security precaution.
Security Explorations' chief executive Adam Gowdiak wrote on security website Seclists.org that the "code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012).
"The reason for it is a new security issue discovered, that made exploitation of some of our not yet addressed bugs possible to exploit again," he added.
Oracle was forced to release an out-of-band patch to fix the previous Java 7 zero-day exploit, which the Polish researchers claimed to have spotted back in April.
The Oracle advisory said: "These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle server-based software."
The email illustrates the ingenuity and speed at which cyber-criminals operate.
Meanwhile, email scammers have already attempted to cash-in on the Java 7 issue by directing users to web pages containing the exploit.
The emails purport to be from Amazon and were flagged as fake by security vendor Websense in an alert sent out earlier today.
Xue Yang, a Websense security researcher, said: "[The email] further illustrates the ingenuity and speed at which cyber-criminals package and propagate malicious content along with social-engineering techniques to exploit both recent software vulnerabilities and the trusting nature of end-users."
Users have been advised to uninstall Java from systems if there is no need to use the software.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
CISA issues warning in wake of Oracle cloud credentials leakNews The security agency has published guidance for enterprises at risk
-
Oracle breach claims spark war of words with security researchersNews A war of words has erupted between Oracle and cybersecurity researchers following claims the company suffered a security breach.
-
“By this time next year, Oracle employees won't be using passwords” — Larry Ellison wants a biometric future in cybersecurityNews The Oracle CTO hit out at passwords, calling them insecure and easy to steal
-
NetSuite vulnerability could leave thousands of websites exposedNews The issue stems from a misconfiguration of access controls in NetSuite's SuiteCommerce instances
-
Oracle's massive advertising database operates without user consent, lawsuit claimsNews Rights organisers have accused Oracle of collecting an undue level of sensitive data to identify consumers online
-
Oracle joins Cloudflare's Bandwidth AllianceNews Database giant will adjust cloud transfer fees for Cloudflare customers
-
Oracle won't let you turn off security ever againNews Larry Ellison: It was a mistake to let customers manage security features
-
Two more zero-day Java bugs discoveredNews Polish researchers find more flaws in Java 7 browser plug-in.
