Oracle’s most famous program might be Java, but it has its fair share of vulnerabilities, and the past few weeks seems to have brought a lot of them to the forefront. Java 7 seemingly slips up again, with two potential vulnerabilities found.
A Polish security firm has reported not one, but two new zero-day vulnerabilities, which they call “Issue 54” and “Issue 55”. Oracle is investigating both reports of weaknesses in Java 7, but at present has not confirmed anything. Various security experts have made the suggestion to disable Java’s browser plugin in the past, and it isn't exactly a bad idea.
The Polish firm responsible for the discoveries is Security Explorations, headed by Adam Gowdiak. According to their website, they are a security start-up company, and their aim is to conduct unbiased security analysis. Gowdiak has had some other successes (if you can call vulnerabilities such a thing) with Java in the past, having found more than 50 security issues (explaining how he’s on Issue 54 and 55). It would seem Security Explorations know their stuff; other articles indicate their successes in this field.
Oracle’s security handling means that they release end-of-month reports, so we won’t know about these new issues in Java 7 for a while. Gowdiak’s track record says he knows Java well, so smart money says he's found something.
Source: Security Explorations