When Oracle released its Java Update 11 earlier this week, it patched several zero-day exploits that security researchers had previously identified. Nevertheless, a number of firms still recommended
uninstalling Java due to a number of remaining bugs. It's taken less than a week for new flaws to surface -- and these are issues that hadn't previously been identified.
Adam Gowdiak, of Security Explorations, noticed that while Update 11 fixed some outstanding issues, it did nothing to repair a flaw in the Java MbeanInstantiator that still allows for the execution of malicious code. Oracle's decision to leave the problem less-than-fixed inspired Adam Gowdiak, of Security Explorations, to go looking for other flaws that the company might have missed. A fresh examination of Java 7 Update 11 has yielded another pair of exploitable flaws that are unrelated to the MBeanInstantiator issue.
We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11," Gowdiak wrote. "MBeanInstantiator bug (or rather a lack of a fix for it) turned out to be quite inspirational for us. However, instead of relying on this particular bug, we have decided to dig our own issues. As a result, two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today (along with a working Proof of Concept code).
These flaws underscores the problems Oracle is having with Java, but they're scarcely insurmountable. Microsoft has transformed itself from a company whose products had all the security of a sieve to a company that's respected and considered security conscious. At the same time, however, it's worth noting that it took Redmond the better part of a decade to repair its own reputation. If Oracle wants Java to continue to be important to web development, it needs to devote the necessary resources to closing the security holes. If it doesn't, other programs will eventually evolve to fill the void. That might take awhile -- Google's own engineers certainly didn't think much
of the Java alternatives when it was working on Android -- but ever-present security flaws are an unacceptable risk in enterprise environments. If Oracle can't secure Java, companies will eventually have no choice but to look elsewhere.
There's no word on when these latest flaws will be fixed. As we've said before, the safest way to secure your system from Java bugs is to disable the software and only reactivate it if you actually need to use it. Unless you start seeing prompts warning you that software needs Java to run, you'll probably never miss it.