msm1267 (2804139) writes "Giving a prolific bug hunter an excuse to go poking deeper into a potential security issue generally doesn’t end well or the vendor in question—in this case Oracle. Polish security firm Security Explorations, noteworthy for its Java security research, said today it reported five new vulnerabilities in Java SE 7 to Oracle. If combined, researcher Adam Gowdiak said, they can be used to gain a complete bypass of the Java sandbox. The deeper look stemmed from a recent submission the company made to Oracle on Feb. 25 of two vulnerabilities that when used in conjunction could also bypass the sandbox. Gowdiak said Oracle dismissed one of the issues he reported, which he labels Issue 54, and called it “allowed behavior,” rather than a vulnerability. It confirmed the other. “We confirmed that company's initial judgment of Issue 54 as the ‘allowed behavior’ contradicts both Java SE documentation as well as existing security checks in code,” he said. “It looks Oracle needs to either start treating Issue 54 as a vulnerability or change the docs and relax some of the existing security checks.""
Link to Original Source