msm1267 writes "Additional details and code demonstrating a possible security vulnerability in Java were released this morning by a Polish security research company, bringing to a head a three-week long debate between the researcher and Oracle over whether the issue is indeed a vulnerability or an allowed behavior in Java.
Adam Gowdiak of Security Explorations has been back and forth with Oracle since Feb. 25 over the lack of a security check in a certain Java operation that when combined with another vulnerability discovered by the firm can result in a complete Java sandbox bypass.
Oracle has refused to confirm the issue is a security vulnerability and told Gowdiak that it continues to investigate. A request for comment from Oracle was not returned by the time of publication. Gowdiak said he sent Oracle detailed information on Feb. 25 about two vulnerabilities he calls Issue 54 and 55, along with source and binaries for proof of concept code. Oracle confirmed Issue 55 as a vulnerability, but said 54 is an “allowed behavior.”"
Link to Original Source