Yesterday Oracle released an update to Java 7 (Java 7u7 update) that fixed nineteen critical vulnerabilities, two of which were exploited by in-the-wild attacks that installed malware on infected machines. It took Oracles four months to patch the just-mentioned vulnerabilities; it took security researchers less than 24 hours to find a new exploit in Java 7u7.
According to Adam Gowdiak of Poland-based Security Explorations (the same people who reported the previous Java 7u6 vulnerability to Oracle four months ago), this new Java 7u7 exploit allows scumbags to take complete control of infected machines; it “facilitates full Java sandbox bypass on latest Java 7 Update 7”. To make matters worse, the attack vectors are now websites and e-mails.
Gowdiak says he is not releasing public details of the exploit for fear of abuse by scumbags but he does say his company has put together proof-of-concepts and sent them to Oracle. It isn’t entirely clear what operating systems this new exploit affects but, seeing as Java is cross-platform, it likely affects Windows, Mac OS X, and Linux.
On the bright side, there haven’t been any reports of this vulnerability being used in-the-wild (yet). However, it took Gowdiak and his team “about 2-3 hours” to find the new vulnerability while they tried “to fix the proof-of-concept codes that stopped working after applying the recent Java patch”. So, even though Gowdiak has not released details of this exploit it is conceivable that other people can discover this new exploit on their own and start using it if they want to badly enough.
Oracle has not responded to this semi-new development and has not issued any patch. People that want to be protected from this exploit should preferably completely uninstall Java or, at the least, disable Java in browsers. Gowdiak claims this new vulnerability was achieved by combining “some of the April 2012 issues” and reports of the earlier vulnerabilities said it didn’t affect Java 6. So, while unconfirmed, it is conceivable that Java 6u35 may be unaffected by this new vulnerability, so grab that if you must absolutely have Java.