A security research team that has alerted Oracle to a series of security flaws in Java in the past, says that it has uncovered new zero-day vulnerabilities in the software.
According to Polish firm update posted by Security Explorations, it has sent proof-of-concept code to Oracle’s security team – so they can investigate the issue.
The concern is that the flaws could be exploited to completely bypass Java’s security sandbox and infect computers in a similar fashion to the attacks which recently troubled the likes of Facebook, Apple and Microsoft.
In those cases, cybercriminals hacked legitimate websites and planted code which exploited Java vulnerabilities when developers visited using web browsers that had a vulnerable version of the Java plugin.
Softpedia reports Security Explorations CEO Adam Gowdiak as saying:
"Both new issues are specific to Java SE 7 only. They allow to abuse the Reflection API in a particularly interesting way... Without going into further details, everything indicates that the ball is in Oracle's court. Again."
So, many computer users find themselves in what is becoming a disturbingly familiar situation – looking to see when Oracle will confirm that the flaws exist, and then waiting for the inevitable security update for Java.
Here’s the best piece of advice we can give you right now:
If you don’t need Java enabled in your browser, here’s how to turn it off now
Many people who have Java enabled in their browser simply do not need it (By the way, don’t mix up Java with JavaScript – they’re different things), so the best solution for many folks is to rip Java out of their browser entirely.
If you don’t need Java, why put yourself at risk?
Dirty cup of coffee image from Shutterstock.