Security Explorations researcher Adam Gowdiak posted a message on Friday stating that his team had discovered not one, not two, but three security holes in Java's latest version.
According to Gowdiak, one of the security risks manifests as the same problem for which Oracle recently released emergency patch Java 7 Update 11.
The vulnerability allows clever hackers to gain a "complete Java security sandbox bypass", a persisting problem that prompted the U.S. Department of Homeland Security to recommend disabling the software temporarily.
Security Explorations also found two new security flaws in "recent version of Java SE7 code," which it has submitted to Oracle for review, and hopefully for a fix.
The researchers at Security Explorations cited the exploiter group Immunity as one of their sources in discovering the still-vulnerable portion of Java code after the patch was issued.
A quick browse through Immunity's findings shows that the remaining flaw is predicated on the signing of a Java applet, and that the flaw is not present in Java 6, which has been confirmed by Oracle.
Because of the prompt added by the Java 7 Update 11, a portion of the initial security hole has been filled, and unsigned applets can no longer gain access by that method.
However, if the new holes discovered by Gowdiak and team are legitimate threats, it may be advisable to keep Java disabled for browsers until Oracle responds with another, more complete fix.