Polish firm Security Explorations has uncovered a new security flaw in Java that leaves plug-ins for all popular browsers vulnerable.
CEO Adam Gowdiak told Computerworld that up to a billion Java users were at risk and recommended users disable Java plug-ins until patches are available to mitigate against the vulnerability.
The issue had been reported to Java-owner Oracle but the firm said it had not yet received a response, although Gowdiak expected the flaw to be addressed in Oracle's Critical Patch Update due on October 16.
The new vulnerability is completely different to the widely-publicised zero-day flaw that Oracle issued an emergency patch for on August 30, and violates a a fundamental security constraint of a Java Virtual Machine, namely type safety.
Gowdiak said that the vulnerability his team found has a wider impact than previous Java flaws, as it affects Java versions 5, 6 and 7.
Proof-of-concept code showed it was possible to completely bypass the Java security "sandbox", allowing attackers to install programs, view, change and deleta data with the privileges of the logged-on user via a malicious applet.
According to Gowdiak, Security Explorations has found a total of 50 vulnerabilities in Java up until this year.
The security flaw discovery comes just ahead of Oracle's JavaOne 2012 conference in San Francisco on September 30, Pacific Time.