A new Java flaw that affects all Java Runtimes and puts billions of users at risk has surfaced this morning.
The vulnerability could have very serious repercussions all over the internet. Security Explorations has reviewed a new critical security flaw in Java SE 5 build 1.5.0_22-b03, Java SE 6 build 1.6.0_35-b10, and the latest Java SE 7 build 1.7.0_07-b10. The security problem is caused by Java virtual machine and how it handles defined data (a-type) and violates a security constraint in Java Runtime, it would allow a complete Java sandbox bypass, which is critical. Security Explorations hacked the flaw on a fully patched Windows 7 32 bits. The flaw is functional on all popular browsers (Chrome, Firefox, IE, Opera etc..). The error will affect everybody with Java installed, including : Windows (32/64), Linux, Mac or Solaris. Security Explorations already alerted Oracle.
This exploit is way more widespread than any other Java exploit ever found, but so far I can’t find any malware exploit using it. In fact, the hack is so powerful, it is a matter of days until someone push a malware using it. I can not emphasize enough the importance of reducing the number of active runtimes on your system. Also, if you don’t use Java, and if you care about security, then you might be best off uninstalling or disabling it temporarily.