A new patch just came out for Java and researchers have already identified a vulnerability affecting the latest version of the software.
Polish firm Security Explorations discovered a Reflection API issue, called “Issue 61,” that plagues all variants of Java 7, including Update 21.
The newly found bug impacts not only the JRE plugin, but the just unveiled Server JRE as well, said Adam Gowdiak, chief executive and founder of Security Explorations.
“[The vulnerability] can be used to achieve a complete Java security sandbox bypass on a target system. Successful exploitation in a web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed),” Gowdiak said.
It’s also worth noting this is a completely new security hole that doesn’t rely on any previously unpatched flaws.
A vulnerability report and a proof of concept went out to Oracle. Gowdiak said the company hasn’t confirmed the issue, but he believes it shouldn’t take more than a day, considering that the reproduction of the flaw consists of simply running a Java code in a web browser.
“In Apr 2012, we reported our first vulnerability report to Oracle corporation signaling multiple security problems in Java SE 7 and the Reflection API in particular. It’s been a year since then and to our true surprise, we were still able to discover one of the simplest and most powerful instances of Java Reflection API based vulnerabilities,” Gowdiak said.
“It looks like Oracle was primarily focused on hunting down potentially dangerous Reflection API calls in the ‘allowed’ classes space. If so, no surprise that Issue 61 was overlooked.”