This is bad news for Java users. The Polish security researcher Adam Gowdiak has found yet another vulnerability in Java that can completely bypass the security sandbox implemented in several versions of the program.The good news is that so far, there's no exploit code circulating--yet.
According to researcher Java versions SE 5, 6, and 7 are affected. He gave details of the discovery in a posting to the Full Disclosure mailing list.
Using the hole, Gowdiak has been able to create a Java applet which, when running in the browser, can run with the user's privileges and then place malicious code on the system and execute it.
"We hope that a news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not going spoil the taste of [Oracle CEO] Larry Ellison's morning java," Gowdiak joked.
The researcher has already confidentially sent information about the hole to Java maker Oracle, along with proof-of-concept code.