Last month security researchers discovered a dangerous bug in Java that enables attackers to bypass the sandbox mode. Unfortunately, it seems a patch isn't coming anytime soon. Oracle usually patches Java security bugs on a quarterly base, the latest Java update arrived on Tuesday and while it included updates for 30 security bugs, the sandbox fix wasn't part of the update.
According to Adam Gowdiak of Polish security firm Security Explorations, Oracle confirmed to him that a patch won't be issued until February 19, 2013.
Gowdiak said he plans to present technical details on the flaw Nov. 14 at the Devoxx Java Community Conference in Belgium. His team did share a technical description of the issue and source and binary codes of proof-of-concept exploit code.
The vulnerability and exploit were announced in late September. Gowdiak’s exploit successfully beat a fully patched Windows 7 computer running Firefox 15.0.1, Chrome 21, Internet Explorer 9, Opera 12 and Safari 5.1.7. The exploit relies on a user landing on a site hosting the exploit; an attacker would use a malicious Java applet or banner ad to drop the malware and ultimately have full remote control of a compromised machine.
Pretty much the same thing happened in August, but then Oracle was forced to issue an out-of-cycle patch due to the severity of the vulnerability as well as widespread media coverage.
