Zero-Day Flaws in Java Re-Emerge; No Exploitation in the Wild Yet
Two new security flaws have been detected in the latest version of Java 7 (Update 15) by security researchers at Polish company Security Explorations.
According to their account, the security issues dubbed “issue 54” and “issue 55” can be combined to bypass the Java sandbox and execute privileged arbitrary code from an untrusted source. Although the flaws were discovered before they got exploited in the wild, cyber-criminals may start using them before an official fix becomes available.
“Both new issues are specific to Java SE 7 only. They allow to abuse the Reflection API in a particularly interesting way,” Security Explorations CEO Adam Gowdiak told Softpedia. “Without going into further details, everything indicates that the ball is in Oracle’s court. Again.”
According to the specialists at Security Explorations, the exploitation mechanism has been confirmed to work with the first version of Java 7, Java 7 u11, and the latest version available, Java 7 u15. Both issues have been documented and delivered to Oracle along with proof-of-concept code.
If the flaws don’t get exploited in the wild in the meantime, the patch will likely show up on April 16, during the regular patch update. As usual, we recommend you enable the Java browser plugin only when you need to access a trustworthy resource requiring it. You should deactivate Java again when you’re done with it.