Only hours after Oracle released its latest Java 7 update to address active exploits, security researchers found yet another vulnerability that can be exploited to run arbitrary code on systems that have the runtime installed.
Oracle's latest release of its Java 7 runtime has come under scrutiny in the past few weeks after it was found being actively exploited in malware attacks that target Windows systems. While so far the vulnerability has only been found being used against Windows, other platforms such as the Mac OS could potentially be targeted through the same exploit.
In response to these findings, Oracle broke its quarterly update schedule for Java and released update 7 for the runtime; however, even after this update, yet more vulnerabilities have been found. According to MacWorld, the Polish security firm Security Explorations is claiming to have discovered two new vulnerabilities in Java 7, which so far are proof-of-concept exploits that can be used to break the Java 7 sandbox and execute code. However, as with any vulnerability this opens new avenues for malware attacks.
Security Explorations is keeping the details about these latest vulnerabilities secret until Oracle addresses the problem, and has only stated that when exploited they allow rogue Java applets to break the Java sandbox and execute arbitrary code on the system.
Being only proof-of-concept attacks means that for now they should not pose much of a threat to Java users, and Oracle should address them in future updates. However, Oracle has recently met some criticism for its lackadaisical approach to addressing some known exploits. According to PCWorld, Oracle has known about these and other exploits since April of this year, and has not taken steps to close them.
These latest developments serve as a warning against using Java when not needed and also prematurely updating Java. Java 7 is still very early in its development, being only the seventh release so far, whereas prior runtimes have received over 30 updates to patch and manage vulnerabilities. As a result, if you need Java then you might consider installing a prior runtime version that has been well-tested, but if you do not need Java then you might consider avoiding installing it or removing it from your system if it is already installed.
Java 7 is an optional third-party installation for its supported operating systems, so only those who have installed it should be cautious of these vulnerabilities.
A new Java-Based Security Vulnerability has been discovered and is actively being exploited on the web. If you have installed Java, it is recommended that you either uninstall it by going to Control Panel>Programs & Features, or temporarily disable it in your browser using these instructions. If you're still not sure if you have Java installed, or whether it's been properly disabled, go to this page and click the red button - it should say "No working Java was detected on your system".