More zero-day bugs found in Java, despite recent patches

Despite the recent patches issued by Oracle, its Java software still has zero-day bugs, a Polish research company disclosed this week.

 

Poland-based Security Explorations said it already sent the vulnerability notice and a proof of concept to Oracle, which it said will look into the matter.

 

"Oracle confirms successful reception and decryption of the vulnerability report. The company informs that it will investigate based on the data provided and get back to us soon," it said.

 

Security Explorations described itself as "providing cutting-edge consulting and research services in the area of software security."

 

A separate blog entry by security vendor Sophos said the concern about the zero-day vulnerability is that the flaws may be exploited to infect computers.

 

Sophos noted attackers had recently targeted large firms like social networking site Facebook, tech darling Apple and software giant Microsoft.

 

"In those cases, cybercriminals hacked legitimate websites and planted code which exploited Java vulnerabilities when developers visited using web browsers that had a vulnerable version of the Java plugin," it said.

 

Sophos advised computer users to turn off Java if they do not need it running in their browser.

 

"Many people who have Java enabled in their browser simply do not need it (By the way, don't mix up Java with JavaScript - they're different things), so the best solution for many folks is to rip Java out of their browser entirely. If you don't need Java, why put yourself at risk?" it said. — TJD, GMA News