Although Java 7 Update 7, which was only released last Thursday, blocks all publicly known exploits, security researcher Adam Gowdiak says that it remains vulnerable. On the Bugtraq security mailing list, Gowdiak reports that he has found a security hole in the current version of Java that can be combined with holes he previously discovered to disable the sandbox yet again. Disabling the sandbox would give attackers easy access to a victim's system and allow them to run malware to further compromise that system.
The researcher says that he has sent a proof-of-concept exploit to Oracle, the maker of Java. Back in April, Gowdiak discovered 29 Java holes and reported them to the company; among them were the vulnerabilities that are now being exploited by the public Java 7 Update 6 exploit. Although Oracle has closed some of the holes Gowdiak reported, the majority appear to remain unpatched. The company has not stated when it plans to fix the rest of the vulnerabilities.
The researcher has always confidentially notified Oracle of his findings. Armed with the knowledge that these holes exist, it is likely that others will start hunting for them. The only hope is that, this time, Oracle will provide a patch before the vulnerabilities are actively being exploited for attacks. The next scheduled Java update is due on 16 October 2012.