Adam Gowdiak of Security Explorations has disclosed the existence of a critical security vulnerability in Java SE 5, 6 and 7.
The flaw allows an attacker to completely bypass Java's security sandbox, Mr Gowdiak claimed.
The vulnerability has been demonstrated on Windows 7 with Java SE 5 Update 22, SE 6 Update 35 and SE7 Update 7, using Firefox 15.0.1, Google Chrome 21.0.1180.89, Internet Explorer 9.0.8112.16421 (update 9.0.10), Opera 12.02 (build 1578), and Safari 5.1.7 (7534.57.2).
In an interview with Computerworld Mr Gowdiak said the vulnerability was present regardless of the operating system if Java SE 5, 6 or 7 is installed.
Security Explorations has provided Oracle with a technical description of the problem and the source and binary code for the proof of concept exploit.
The next Java update is due in around three weeks, but given the apparent severity of this issue is is possible that Oracle will release an out-of-cycle update as it did at the end of August.
However, that patch was criticised by Mt Gowdiak as it contained a bug that made some unpatched vulnerabilities easier to exploit.