Oracle patches Java 0-day, researchers say there’s another one

Oracle has finally issued an update for Java 7 (v 1.7.0_07) which solves the problem of the CVE-2012-4681 vulnerability (which actually consists of two distinct flaws).

The update also fixed two other related vulnerabilities, and the company “strongly recommended” that customers apply the updates as soon as possible, given the severity of all the vulnerabilities, the the public disclosure of technical details and the reported exploitation of CVE-2012-4681 “in the wild.”

An out-of-schedule update for Java 6 (1.6.0_35) has also been issued. Both updates are available for Windows, Mac OS X, and Linux, but Windows users can also take advantage of the Java Automatic Update to get the latest release.

Still, researchers from Polish firm Security Explorations – the ones who alerted Oracle about them in the first place – claim that they have discovered a similar vulnerability (and, again, reported it to Oracle) that could very soon put Java users in danger again.

“The out-of-band patch released by Oracle yesterday, among other things fixed the exploitation vector with the use of SunToolkit class, the one we used in our proof of concept codes. This made many of them not working…Till today,” Security Explorations CEO Adam Gowdiak shared with Softpedia.

“When combined with some of the Apr 2012 issues, the new issue reported to Oracle today allows to achieve a complete JVM sandbox bypass in the environment of latest Java SE 7 Update 7.”

And while attacks exploiting this new issue have yet to be spotted in the wild, I’m thinking that Oracle will have to reconsider their usual patching schedule if they want to keep their Java users.