Security research team flags Oracle Java 7 patch flaw

Security flaw

Polish researchers from IT firm Security Explorations claim to have found a flaw in the security update rushed out last week to fix Oracle's Java 7 vulnerability.

The flaw in the update could be exploited to escape the Java sandbox and run arbitrary code on the operating system, the researchers have claimed.

Oracle released the patch last Thursday, and the following day the Security Explorations team alerted the software giant to the flaw.

The Polish researcher has not disclosed specific details on how the flaw would work as a security precaution.

Security Explorations' chief executive Adam Gowdiak wrote on security website that the "code successfully demonstrates a complete JVM sandbox bypass in the environment of a latest Java SE software (version 7 Update 7 released on Aug 30, 2012).

"The reason for it is a new security issue discovered, that made exploitation of some of our not yet addressed bugs possible to exploit again," he added.

Oracle was forced to release an out-of-band patch to fix the previous Java 7 zero-day exploit, which the Polish researchers claimed to have spotted back in April.

The Oracle advisory said: "These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle server-based software."

The email illustrates the ingenuity and speed at which cyber-criminals operate.

Meanwhile, email scammers have already attempted to cash-in on the Java 7 issue by directing users to web pages containing the exploit.

The emails purport to be from Amazon and were flagged as fake by security vendor Websense in an alert sent out earlier today.

Xue Yang, a Websense security researcher, said: "[The email] further illustrates the ingenuity and speed at which cyber-criminals package and propagate malicious content along with social-engineering techniques to exploit both recent software vulnerabilities and the trusting nature of end-users."

Users have been advised to uninstall Java from systems if there is no need to use the software.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.