<p>Oracle will not patch a critical sandbox escape vulnerability in Java SE versions 5, 6 and 7 until its February Critical Patch Update, according to the researcher who discovered the flaw. Adam Gowdiak of Polish security firm Security Explorations told Threatpost via email that Oracle said it was deep into testing of another Java patch for the October CPU released yesterday and that it was too late to include the sandbox fix.</p><p>Gowdiak said he plans to present technical details on the flaw Nov. 14 at the Devoxx Java Community Conference in Belguim. His team did share a technical description of the issue and source and binary codes of proof-of-concept exploit code.</p><p>The vulnerability and exploit were announced in late September. Gowdiak's exploit successfully beat a fully patched Windows 7 computer running Firefox 15.0.1, Chrome 21, Internet Explorer 9, Opera 12 and Safari 5.1.7. The exploit relies on a user landing on a site hosting the exploit; an attacker would use a malicious Java applet or banner ad to drop the malware and ultimately have full remote control of a compromised machine.</p><p>Oracle did not respond to a request for comments.</p><p><a href="http://threatpost.com/en_us/blogs/oracle-leaves-fix-java-se-zero-day-until-february-patch-update-101712">Keep reading...</a></p><p>Read also:</p><p><a href="http://krebsonsecurity.com/2012/10/critical-java-patch-plugs-30-security-holes/">Critical Java Patch Plugs 30 Security Holes</a> (Krebs on Security)</p><p><a href="http://www.theregister.co.uk/2012/10/17/oracle_quarterly_patch_batch/">Oracle squashes 109 bugs in quarterly patch batch</a> (Register)</p><p><a href="http://www.darkreading.com/vulnerability-management/167901026/security/news/240009195/3-must-fix-vulnerabilities-top-oracle-cpu-patches.html">3 Must-Fix Vulnerabilities Top Oracle CPU Patches</a> (Dark Reading)</p><p>Explore: <a href="http://news.google.com/news/more?ncl=d4MjXmjuvW_JXjMOUC6FwqZgFoJFM&ned=us">7 additional articles.</a></p>