Details of further Java exploits are coming to light,while Oracle has still yet to release a fix for its customers.
Since Computing reported on Michael Schierl's research into the Java 7 exploit,Immunity Products'Esteban Guillardoy has submitted findings that suggest two separate security holes are driving the exploit.
Further reading
New Java exploit details emerge as attacks escalate;no patch from Oracle yet Oracle admits paying bloggers to influence public opinion SAP agrees to pay Oracle$306m in damages
"The first bug was used to get a reference to the sun.awt.SunToolkit class,that is restricted to applets,while the second bug invokes the getField public static method on SunToolkit using reflection with a trusted immediate caller bypassing a security check,"Guillardoy wrote on Immunity's blog.
As knowledge of the exploit,which affects all versions of Java 7,becomes greater and more widespread,the eyes of Java users will look to Oracle for a patch or fix before its next scheduled update on 16 October 2012.
An Oracle spokesperson today told Computing that there is no comment available at the moment on the security exploit.The spokesperson supplied a link to the Oracle Software Security Assurance Blog,which has not been updated since 10 August 2012,in response to the Security Alert CVE-2012-3132 Oracle Database Server exploit.
Oracle's post reminds users that"it is unfortunate when the technical details of a security vulnerability are disclosed before a fix could be made available,especially when the disruption resulting from having to deal with an unplanned patch,and the amount of time required by customers to apply the patch,may yield less of a security posture improvement than other security effort."
Security companies such as DeepEnd,however,argue that as Oracle continues to do nothing,the revelation of technical details–which allow action to be taken by security groups as well as hackers–are all that stand between the community and total vulnerability.
