The Polish security researcher Adam Gowdiak has found another vulnerability in Java that could allow an attacker to bypass the sandbox. He gave details of the discovery in a posting to the Full Disclosure mailing list. Using the hole, Gowdiak has been able to create a Java applet which, when running in the browser, can run with the user's privileges and then place malicious code on the system and execute it.

Gowdiak had previously disclosed a similar vulnerability in the most recent version of Java, Java 7 Update 7. The new vulnerability is, though, able to be exploited on Java 5 and Java 6. The researcher has already confidentially sent information about the hole to Java maker Oracle, along with proof-of-concept code.

So far there are no reports that the vulnerability is being exploited for attacks. Oracle has not said whether or when it will close the vulnerability. A previous issue reported by Gowdiak in April 2012 was not fixed until late August after attacks using the vulnerability had begun in earnest.