Stefan Mileschin

Oracle is setting up the bunting for its JavaOne 2012 conference in San Francisco, just as researchers from the Polish insecurity outfit Security Explorations found another critical hole in the company's Java software.

According to Security Explorations' researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects "one billion users of Oracle Java SE software".

Gowdiak told Computerworld that the hole will have a bigger impact on Java users than any previous problem.

It affects Java 5, 6 and 7 while most of the previous problems with Java have effected its latest version 7.

The last critical security flaw that Oracle just patched was on 30 August. This one is allegedly so bad that users were advised to disable Java on their browsers if they wanted to avoid it.

In this case all the latest web browsers with the latest Java SE software will have to do the same thing.

Gowdiak said his company found 50 problems in various Java SE implementations including 17 different complete sandbox bypass exploits. It reported two issues to Apple and 17 to IBM.

Oracle have not got back to him yet on the bugs.

The bug allows attackers to violate a fundamental security constraint of a Java Virtual Machine.

He said that all you can do is disable Java Plugin in the web browser and wait for the patches from Oracle.

There are still three weeks until the scheduled Java Oct Critical Patch Update, so it might be possible that the bug will be addressed by the company on 16 Oct 2012, he said.

http://news.techeye.net/security/ano...va-bug-arrives