A botched security fix released for the Java software framework 30 months ago has left millions of users vulnerable to attacks that Oracle had claimed were no longer possible, a security researcher said.
The bypass code, which was released Thursday by Polish security firm Security Explorations, contains only minor changes to the original proof-of-concept, according to an e-mail posted to the Full Disclosure security list. Security Explorations released the original exploit in October 2013 following the release of a patch from Oracle.
Thursday's bypass changes only four characters from the 2013 code and uses a custom server to work. The bypass means that millions of Java users have remained vulnerable to the flaw, categorized as CVE-2013-5838, despite assurances from Oracle that the attacks were no longer possible.
Continued: http://arstechnica.com/security/2016/03/botched-java-patch-leaves-millions-vulnerable-to-30-month-old-attack/
Related:
Two Years Later, Java Security Still Broken Due to Faulty Oracle Patch
http://news.softpedia.com/news/two-years-later-java-still-broken-due-to-faulty-oracle-patch-501633.shtml

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic