Despite Oracle's recent attempts to patch Java reports surfaced earlier this week that the update was incomplete and didn't address all of the critical holes in the application. Today further reports suggest that the two new bypass flaws have been found and remain un-patched.
“We have successfully confirmed that a complete Java security sandbox
bypass can be still gained under the recent version of Java 7 Update
11,” Java security researcher Adam Gowdiak of Security Explorations in
Poland wrote a short while ago on the Full Disclosure mailing list.
Gowdiak said his organization reported two new flaws to Oracle today,
along with working proof-of-concept code, a single exploit that relies
on two vulnerabilities. He told Threatpost he would not share any
details on the vulnerabilities, but said Oracle did confirm it had
received the information he sent and had begun looking into the problem.
In the mean time I highly suggest that all Java users either remove the plug-in or disable it. The Windows control panel for
Java makes it easy to disable the Java plugin giving you the option of keeping it installed and only enabling it as needed. Instructions on how to disable Java in Chrome, Firefox and Safari are also available from their respective companies.