Security researchers have discovered a new vulnerability in all supported versions of Oracle Java that enables attackers to bypass sandbox defences.
The vulnerability, which affects Java Standard Edition versions 5, 6 and 7, can be used to break out of the Java security sandbox, according to researchers at security firm Security Explorations.
This means a malicious Java applet or application could run unrestricted in a target Java process such as a web browser application. The malware can then enable an attacker to install software and view, change or delete data with the privileges of a logged-on user.
The discovery was announced on the Full Disclosure security mailing list, but technical details of the vulnerability remain under wraps, according to eWeek.
The Security Explorations researchers say finding the flaw and creating an exploit are moderately difficult. But Oracle has acknowledged the issue and plans to address the Java security vulnerability in an update.
Security Explorations said it had provided Oracle with a technical description of the Java security vulnerability, along with the source and binary codes of the Proof of Concept.
Exploits for Java flaws are commonly used in attack kits such as Black Hole, but security researchers say that is unlikely to happen in cases, such as this, that are reported privately.
In August, Oracle released an out-of-cycle security update to patch newly identified vulnerabilities in Java 7 that were being widely exploited.
The move came after researchers urged Oracle not to wait, with news that the Java security vulnerabilities were being used in targeted attacks and were available to users of the Metasploit tool and Blackhole exploit kit.
