A serious security vulnerability affecting current versions of Java, originally reported in 2012 (PDF), remains only partially fixed, according to Adam Gowdiak of Security Explorations.

When Oracle released Java 7 Update 40 in October 2013, the original issue appeared to have been fixed. Subsequent testing showed that while the fix addressed the original Proof of Concept code provided by Mr. Gowdiak, changing the PoC code slightly revealed that the fix was incomplete.

Until recently, Gowdiak was reluctant to announce his discovery of the partial fix, because of his own organization’s disclosure policies. On March 7, 2016, those policies were updated: “A recent change to those policies means that if an instance of a broken fix for a vulnerability we already reported to the vendor is encountered, it gets disclosed by us without any prior notice.”

Mr. Gowdiak revealed his findings (PDF) at the recent Javaland conference, and on the Full Disclosure security email list. The original PoC code was altered slightly to demonstrate the vulnerability and provided to Oracle.

Whether we will ever see a complete fix for this issue remains to be seen. Meanwhile, our advice about Java is unchanged: if you don’t need it, uninstall it. If you need it to run a specific application, remove Java from your web browsers, or leave it enabled in a browser you only use for specific applications. At the very least, make sure your browsers are configured so that Java content does not run automatically (i.e. enable click-to-play).

You can read more about the history of this and other Java security vulnerability research conducted by Adam Gowdiak at his Security Explorations web site.

Other references: Ars Technica.