In the backdrop of historic attacks on Facebook, Apple and Microsoft employee computers that targeted Java flaws, a report of two new Java vulnerabilities has emerged today. The flaws, which exist in the latest Java 7 update, Update 15, reportedly allow for a complete bypass of the Java security sandbox. Information was published on February 25, 2013, on the Vendors status web page of Polish security firm Security Explorations, who informed Oracle of the flaws via a Vulnerability Notice accompanied by a Proof of Concept code. According to Security Explorations, who made several other recent discoveries of Java flaws, Oracle has confirmed receipt of their report, and that Oracle has assigned tracking numbers for the two issues.
In an interview with Softpedia, Security Explorations CEO Adam Gowdiak said: "Both new issues are specific to Java SE 7 only. They allow to abuse the Reflection API in a particularly interesting way. Without going into further details, everything indicates that the ball is in Oracle's court. Again." Softpedia continued to report that, "When combined, the flaws can be leveraged to achieve a complete bypass of the Java security sandbox."
Oracle has released two updates to Java SE 7 in February 2013. Although Oracle had scheduled their February Critical Patch Update for February 19, an out-of-cycle update was released on February 1 (Update 13) that patched 50 Java vulnerabilities. Oracle then released their February Critical Patch Update on February 19, addressing 5 additional Java flaws (Update 15). Oracle's next Critical Patch Update is scheduled for April 16, 2013, but conceivably Oracle could issue another out-of-cycle Java update sooner.
No information was available about whether exploits for the two latest flaws are "in the wild". However, the importance of keeping your Java up to date is underscored by the existence of automated exploit kits that take advantage of unpatched installations of Java 7 Update 11 and Java 7 Update 13. Keep your system's Java up to date, and don't click Run at the Java Security Warning for a source you don't know or trust.