While Gowdiak said that he found the new Java bug last week -- and took the weekend to create and test a proof-of-concept exploit -- he only reported it to Oracle on Tuesday. In a follow-up email to Computerworld, Gowdiak said, "We just received confirmation of the issue from Oracle."
The company also told him that the bug will be patched in a future Java security update, but that it did not name which. The next on Oracle's quarterly schedule will ship Oct. 16.
That was one of several reasons Gowdiak used to explain why he went public with the bug -- albeit sans technical details -- rather than privately reporting it to Oracle and waiting for the company to quietly patch Java. "There are still three weeks until the scheduled Java October Critical Patch Update [CPU], so it might be possible that Oracle manages to address the bug [on Oct. 16]," he said.
Gowdiak also said it was "simply our obligation to provide users with a proper warning," especially in light of recommendations last month to shift from Java 7 to the then-safe Java 6.
The fact that Java 6 is vulnerable will be of special interest to anyone using a Mac that runs OS X 10.6 (Snow Leopard) or OS X 10.5 (Leopard). Although Apple stopped bundling Java with OS X starting in 2011, 2009's Snow Leopard and 2007's Leopard included the software. If hackers have found -- or do find -- Gowdiak's vulnerability on their own, and exploit it before Oracle patches, Snow Leopard and Leopard users will be at risk, just like those running Lion or Mountain Lion.
The publicity of the newest Java zero-day -- several media outlets reported it yesterday -- will, of course, put some pressure on Oracle to act quickly, a reason often cited by security researchers who broadcast the existence of a flaw before a patch is available.
Gowdiak had an answer for that, too.
"We [make] public announcements, so that users are aware that there are some risks associated with given software or a technology, and can plan their actions accordingly," he said. He also declined to share more information about the nature of the vulnerability than the vague description in the Full Disclosure message.
Gowdiak confirmed that his proof-of-concept exploit worked against the Java plug-in used by the current versions of Chrome, Firefox, Internet Explorer 9, Opera and Safari on Windows 7.
As virtually every security professional has done when a Java vulnerability or exploit surfaces, Gowdiak yesterday urged users to disable the plug-in in their browsers until Oracle issues a patch.
Security Explorations keeps an up-to-date account of the vulnerabilities it reports to vendors, and their reactions, if any, on its website.