Oracle has recently been at the receiving end of criticism when a zero-day exploit was discovered in Java, an exploit which we were told had been brought to Oracle’s notice months ago. Oracle broke its quarterly schedule to ship out a patch for the exploit once the web became abuzz with it. However, that doesn’t mark the end of Oracle’s Java woes.
A security firm has revealed a new vulnerability in Java which affects multiple versions of Java and even the latest patch from Oracle doesn’t do anything to fix it. The flaw is related to the way Java handles data types, leaving a gaping vulnerability which allows for a complete bypass of Java sandbox.
For now, the vulnerability is not being used actively as an exploit by the hackers out there. In fact, Security Explorations, the company that has revealed the vulnerability, has only demonstrated it as a proof-of-concept. According to the company, it has warned Oracle about the exploit and is waiting for the company to respond.
Given the nature of the exploit, analysts are of the opinion that it affects nearly all Java users, putting close to 1 billion machines at imminent risk. According to Security Explorations, “We hope that a news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not gonna spoil the taste of Larry Ellison’s morning…Java.” Oracle hasn’t officially responded to the news yet.