Security researcher Adam Gowdiak has uncovered a new zero-day vulnerability in Oracle's Java software. The bug is said to be present in currently-supported versions including Java 5, Java 6 and Java 7 and has the potential to allow attackers to install malware on nearly 1 billion systems (based on installation numbers from Oracle).
The exploit affects Macs and PCs equally which means that any system running Java could be at risk. The good news, at least for now, is that it poses little danger to the general public. Gowdiak, who's known for finding similar chinks in Java's armor, said he isn't aware of any active attacks that exploit this particular vulnerability.
He reportedly discovered it last week and spent this past weekend testing a proof-of-concept before revealing it to Oracle yesterday. The software company has since confirmed the vulnerability with Gowdiak and said it will be patched in a future security update. They didn't mention when exactly this would occur but the next scheduled update on Oracle's calendar is October 16.
The security researcher said he decided to go public with his findings, short of detailing exactly how to exploit the vulnerability, in the hope that it would put pressure on Oracle to patch it sooner rather than later. He's hoping the software company will be able to get the work done in time for next month's patch update before hackers can discover it on their own.