While they know there is a Zero Day out there hanging, as of right now Oracle will not issue a patch for a critical sandbox escape vulnerability in Java SE versions 5, 6 and 7 until its February Critical Patch Update, said the researcher who found the flaw.
Oracle was testing a different Java patch they released last week and it was too late to include the sandbox fix, said Adam Gowdiak of Polish security firm Security Explorations.
Gowdiak’s team did share a technical description of the issue and source and binary codes of proof-of-concept exploit code.
The vulnerability and exploit came out in late September. Gowdiak’s exploit beat a fully patched Windows 7 computer running Firefox 15.0.1, Chrome 21, Internet Explorer 9, Opera 12 and Safari 5.1.7. The exploit relies on a user landing on a site hosting the exploit; an attacker would use a malicious Java applet or banner ad to drop the malware and ultimately have full remote control of a compromised machine. Oracle was not immediately available to comment on the issue.
Gowdiak’s Java vulnerability was the second severe issue found on the platform since August. Another critical vulnerability was in Java 7 and exploits were successful in dropping the Poison Ivy remote access Trojan on vulnerable machines. The attacks ended up attributed to the Nitro group of hackers based in China.
Java users meanwhile will wait until the next critical patch update scheduled for Feb. 19 for a fix, unless Oracle decides to release an out-of-band fix.