It has been discovered that a security patch released by Oracle for the Java software framework 30 months ago was botched, leaving millions of users vulnerable.
In September 2013, Oracle said it had addressed a major security hole discovered by security firm Security Explorations. But it turns out the patch was botched, leaving millions exposed to attacks that Oracle had claimed were no longer possible.
On Thursday the firm issued a bypass code to the original exploit which contains only minor changes to the original proof-of-concept.
'This weakness made it possible to implement a very classic attack against JVM (class spoofing attack),' said the researchers in a letter to the Full Disclosure mailing list.
Besides failing the fix the problem, Oracle also failed to evaluate its impact, say the researchers, first saying that the issue could only be exploited through sandboxed Java Web Start applications and sandboxed Java applets.
> See also: Why Bet365 swapped Java for Erlang
'This is not true,' wrote the researchers. 'We verified that it could be successfull exploited in a server environment as well such as Google App Engine for Java.'
'We implemented a Proof of Concept code that illustrates the impact of the broken fix described above - it has been successfully tested in the environment of Java SE Update 97, Java SE 8 Update 74, and Java SE 9 Early Access Build 108. In all cases, a complete Java security sandbox escape could be achieved.'
Although there is not yet any evidence that the vulnerability is being maliciously exploited in real-world attacks, it is one of 50 discovered in the Java technology by Security Explorations over the last few years.
> See also: 4 steps for fending off hidden Java attacks
Recent research by security systems specialist Shavlik found that 58% of security professionals see Java as providing the biggest application patching worry.
'The good news is that Thursday's exploit code doesn't bypass the click-to-play protections Oracle added to Java to make code-execution attacks harder to carry out,' writes Dan Goodin, Security Editor at Ars Technica, advising against using Java if at all avoidable. 'Those who must use it to access corporate intranets or other sites should ensure click-to-play is enabled. Even then, they should consider using Java with a dedicated browser that isn't employed for general browsing.'