[SE-2012-01] New security issues affecting Oracle's Java SE 7u15

Hello All,

We had yet another look into Oracle's Java SE 7 software that
was released by the company on Feb 19, 2013. As a result, we
have discovered two new security issues (numbered 54 and 55),
which when combined together can be successfully used to gain
a complete Java security sandbox bypass in the environment of
Java SE 7 Update 15 (1.7.0_15-b03).

Following our Disclosure Policy [1], we provided Oracle with
a brief technical description of the issues found along with
a working Proof of Concept code that illustrates their impact.

Both new issues are specific to Java SE 7 only. They allow to
abuse the Reflection API in a particularly interesting way.

Without going into further details, everything indicates that
a ball is in Oracle's court. Again.

Thank you.

Best Regards
Adam Gowdiak

Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"

References:
[1] Security Explorations - Disclosure Policy
http://www.security-explorations.com/en/disclosure-policy.html