Security researchers have discovered a new vulnerability in the latest Java version, Java 7 Update 10, and in earlier versions of the software which could give attackers access to users’ computers.
The US Computer Emergency Readiness Team (US-CERT) confirmed that Java 7 Update 10 and earlier versions contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
According to US-CERT, the vulnerability, which is already reportedly being attacked in the wild (meaning cyber criminals could target unpatched systems), is also incorporated in exploit kits, and the exploit code for the vulnerability is also publicly available.
US-CERT said it is currently unaware of a practical solution to this problem, although starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet.
It was ‘Kafeine’, a blogger, who brought the flaw to the notice of US-CERT.
AlienVault Labs manager Jaime Blasco said his company was able to reproduce an attack with the exploit against a fully patched Java platform.
Blasco said: "The Java file is highly obfuscated but based on the quick analysis we did the exploit is probably bypassing certain security checks tricking the permissions of certain Java classes."
In December 2011, researchers at M86 warned that exploits for a Java vulnerability are already available in the wild.