Oracle’s Java was deemed vulnerable yet again by Polish researcher Adam Gowdiak, except the new breach is universally exploitable in all previous Java SE versions, such as Java 5, 6 and 7.
“A complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7” is supposed to be even worse than previous exploits because more than one billion users could be affected, Gowdiak wrote in a BugTrack full disclosure mailing list.
“We’ve recently discovered yet another security vulnerability affecting all latest versions of Oracle Java SE software” says the full disclosure email. “The impact of this issue is critical – we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7.”
The new exploit, which enables an attacker to gain full control over a computer, will be fully disclosed at Oracle’s imminent JavaOne conference this September 30th. With Java 7 still vulnerable from the previous exploitable patch, this new security breach not only affects Chrome, Firefox, Safari and Internet Explorer users that run the Java plugin, but iOS users as well.
“We hope that news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not gonna spoil the taste of Larry Ellison’s morning Java,” said Gowdiak.
Disabling the Java plugin from browsers is the best course of action if users want to avoid the vulnerability, experts warn.