Polish security outfit Security Explorations claimed that millions of users vulnerable to attacks that Oracle had claimed were no longer possible.
Security Explorations has issued a bypass code to the original exploit which contains only minor changes to the original proof-of-concept. The bypass changes only four characters from the 2013 code and uses a custom server to work.
The proof of concept ahs been successfully tested on Java SE Update 97, Java SE 8 Update 74, and Java SE 9 Early Access Build 108. In all cases, a complete Java security sandbox escape could be achieved.
Oracle also failed to fully evaluate the breadth of the vulnerability. While the company said it could be exploited only through the sandboxed Java Web start applications and sandboxed Java applets, it can also be exploited in server environments such as the Google App engine for Java. There are no indications that the vulnerability is being actively exploited in the wild. On Thursday, Adobe issued an update for its Flash media player that patched almost two dozen vulnerabilities, at least one of which was being maliciously exploited in real-world attacks.