Security researchers have confirmed that the latest version of Oracle's Java software framework is vulnerable to Web hacks that allow attackers to install malware on end users' computers.
"We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21)," Adam Gowdiak, CEO of Poland-based Security Explorations, wrote in an advisory posted Friday to the Full Disclosure mailing list. "As a result, two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today (along with a working Proof of Concept code)."
Gowdiak's advisory comes a few days after researchers from security firms Trend Micro and Immunity Inc. independently reported the emergency patch Oracle released on Sunday was incomplete. While attacks actively waged online last week exploited two vulnerabilities in the an older version to surreptitiously install malware on computers that browsed to malicious websites, Java 7 Update 11 fixed only one of them, those researchers said. On Wednesday, KrebsOnSecurity reported exploit code for that version was being sold in underground Internet forums.