Adam Gowdiak, the CEO of Security Explorations – the company that discovered the recent Java vulnerabilities -, told Softpedia that Oracle confirmed the existence of the second flaw, reported on August 31, 2012.
“Oracle confirmed the security issue reported to them on Aug 31, the one that affects the out-of-band patch released on Aug 30. This is visible at our vendor status page,” Gowdiak wrote in an email.
The second bug reported to Oracle was identified right after the company released an out-of-band patch for Java 7. Although it was unusual for them to make available such fixes, the move was necessary considering the fact that the vulnerability was exploited in the wild.
Source:
