JAVA - Some unpatched vulnerabilities remain after out-of-band update
Yesterday's patch released was beneficial for active malicious threats that are circulating for the recent zero day attacks. However, not all issues are fully resolved and developments should be closely watched for any emerging threats that may materialize.
QUOTE: Researchers from Polish firm Security Explorations – the ones who were the first to report the vulnerabilities which led to the now-infamous Java zero-day – have just reported another similar bug to Oracle. This means that Java users are still exposed, even if they’ve applied the patch released by the company. “The out-of-band patch released by Oracle yesterday, among other things fixed the exploitation vector with the use of SunToolkit class, the one we used in our proof of concept codes. This made many of them not working...Till today,” Adam Gowdiak, founder and CEO of Security Explorations, told Softpedia via email.
“When combined with some of the Apr 2012 issues, the new issue (number 32) reported to Oracle today allows to achieve a complete JVM sandbox bypass in the environment of latest Java SE 7 Update 7 (version that was released on Aug 30, 2012). “What this means is that Java 7 users are still at risk from being exploited and the issues we reported to Oracle need to be addressed,” he added.