Oracle's Java programming framework has once again been found vulnerable with a new hole allowing an attacker to completely bypass the security sandbox that isolates apps from the rest of the system.
Once again the flaw was discovered by researcher Adam Gowdiak, whose firm Security Explorations focuses on Java.
Gowdiak said the flaw affects Java SE 7 and that it is present in not just the browser runtime environment and development kit software, but also in the Server JRE by using flaw in the Java Reflection application programming interface (API) .
This time around, however, the flaw requires users to click away a security warning dialog to work, meaning a so-called drive-by exploit is unlikely to be succesful.
The Reflection API is a feature that programs can use to modify the runtime behaviour of applications running in a Java virtual machine. Oracle warned that it was an advanced feature that should not be used without a strong grasp of the fundamentals of Java.
Separately from Gowdiak, Jeroen Frijters, a Java developer in the Netherlands, discovered by accident that by changing the Double.TYPE constructor to Integer.TYPE and by using the Reflection API to copy an integer field from one object to another, arbitrary code can overwrite public fields and disable the framework security manager.
Frijters published his proof of concept code on his blog last week and yesterday, security vendor F-Secure noted that it had been included in the Metasploit exploit kit on April 20, with attacks "actively happening".
According to Frijters, that particular security flaw was addressed by Oracle in last week's critical patch update, which plugged 42 holes in Java.