Every currently supported version of Java is vulnerable to a new exploit, according to Adam Gowdiak, a security expert who is known for finding Java exploits. That could include up to a billion computers, according to Oracle’s instillation statistics.
Gowdiak has sent the source code of the vulnerability, which can be used to install malware on a user’s computer, to Oracle for analysis. He has assisted in getting Java exploits closed in the past, though Oracle’s record of getting them all fixed in time is mixed, according to ComputerWorld:
Gowdiak has found other Java vulnerabilities in the past: Earlier this year he reported more than a dozen to Oracle. Months later, hackers independently uncovered one of the bugs, then began using it in widespread attacks during August.
On Aug. 30 Oracle shipped one of its rare emergency, or “out-of-band,” security updates to patch the exploited Java bug.