Oracle, which has spent the last month dealing with pervasive security issues in Java, has another problem on its hands: a new flaw affecting multiple versions of the software platform that could grant an attacker control of a targeted machine.
Polish vulnerability research firm Security Explorations, which has discovered a slew of Java bugs this year, said the latest flaw impacts Java SE versions 5, 6 and 7 running in all major web browsers – Firefox, Google Chrome, Internet Explorer, Opera and Safari.
Security Explorations notified Oracle of the vulnerability on Tuesday and also posted a message on BugTraq, a mailing list archive, the same day. Researchers are not aware of any attacks actively exploiting the flaw.
Adam Gowdiak, founder and CEO of Security Explorations, said in an email Tuesday to SCMagazine.com that the firm discovered the bug – which allows machines to be compromised through a complete Java security sandbox bypass – late last week
“A malicious Java applet or application exploiting [this bug] could run unrestricted in the context of a target Java process. such as a web browser application,” Gowdiak said. “An attacker could then install programs, view, change or delete data with the privileges of a logged-on user.”
Security Explorations worked to confirm the issue over the weekend, and developed and tested a proof-of-concept code for flaw.
Reasons for its critical impact include the fact that the bug is present in multiple versions of Java, unlike a widespread exploit in August that only affected Java 7 iterations.
Some 1.1 billion desktops run Java. Mac users are particularly vulnerable, Gowdiak said, as Java comes pre-installed on Mac OS X 10.6 and below.
“This bug has the biggest impact among the 50 security issues we have discovered as part of our Java SE security research work,” he added.
In the message on BugTraq, Gowdiak took a jab at Larry Ellison, the CEO of Oracle, whose compensation increased by 24 percent last year, to $96.2 million, according to a Reuters article.
“We hope that news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not going to spoil the taste of Larry Ellison's morning...Java,” Gowdiak said.
Gowdiak advised users to disable the Java plug-in in their web browser until Oracle releases patches, scheduled for Oct. 16. It's unclear if the fixes will address this latest defect.
A request for comment was not immediately returned by Oracle.
[An earlier version of this story incorrectly stated that Java 7 came pre-installed on Mac OS X 10.6 and below].