An update posted on the Security Explorations website states that the company has notified Oracle of the vulnerabilities (referred to as issues 54 and 55), including proof-of-concept code for the company to review. Oracle confirmed successfully receiving the report and is now investigating the matter.
Hopefully Oracle will move to patch the bugs quickly since they can be used to completely bypass the Java security sandbox.
Adam Gowdiak, CEO of Security Explorations told Softpedia, “Both new issues are specific to Java SE 7 only. They allow abuse [of] the Reflection API in a particularly interesting way. Without going into further details, everything indicates that the ball is in Oracle’s court. Again. “
Considering that cybercriminals recently used Java vulnerabilities in the watering hole attack that resulted in malware being installed on computers belonging to Facebook, Apple, Microsoft, and other companies, it may be wise for users to consider:
- Disabling the Java plugins in their web browser (if not needed)
- Dedicating one browser to surfing Java-rich websites and disabling Java plugins in all other browsers
- Removing/uninstalling Java from their computer
It’s better to be safe than sorry.
Do you still have Java installed on your system?