After finding vulnerabilities in Java 7 Update 10, an Update 11 was released as an emergency security update for blocking zero-day exploit exploited by cybercriminals for infecting computers with malware.
Now, we learn from a news that new sandbox bypass vulnerabilities have been found in the latest Java update – Java 7 Update 11. Adam Gowdiak of Polish security firm – Security Explorations have identified two new vulnerabilities in the latest version of Java.
In his Full Disclosure mailing list vulnerability report, he wrote,
This post might be interesting for those concerned about the state of Oracle’s Java SE security. We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 [1] (JRE version 1.7.0_11-b21).
He revealed that there was definitely something wrong with the quality of Java SE 7 code. As per his views, it was either lack of a proper Secure Development Lifecycle program for Java or some other problems that were internal to Oracle.
Technical details about the vulnerabilities have not been publicly disclosed yet. It will be done, once, the vendor issues a patch.
Meanwhile, some security researchers, including those from the U.S. Computer Emergency Readiness Team (US-CERT), continue to advise users to uninstall or disable the Java browser plug-in despite the release of Java 7 Update 11.