As if the possible presence of undiscovered exploits in their applications wasn’t enough cause for worry, Oracle Corp. customers will now also have be mindful of known faults that are supposedly already fixed.  A new report from Polish consultancy Security Explorations that was picked by PCWorld this morning reveals how a vulnerability patched back in 2013 can still be abused to compromise devices running up-to-date versions of the Java Runtime Environment (JRE).

The flaw, which goes by the designation CVE-2013-5838, was given a score of 9.3 out of 10 on Oracle’s risk scale at the time of the original discovery due to its susceptibility to remote exploitation. Hackers could take advantage of the vulnerability without direct access to the target machine and didn’t even have go through the trouble of bypassing Java’s authentication mechanism. The patch that the vendor released in 2013 to try and address the issue complicated the process slightly, but that won’t provide much consolation for any users who might have their computers compromised due to the ineffectiveness of the update.

Security Explorations claims that its researchers were able to undo Oracle’s fix by changing only four characters in a publicly-accessible piece of code they created three years ago to test the flaw. A hacker could incorporate the snippet into malware disguised as a legitimate Java applet to trick workers of an organization into running the program and expose themselves to attack. Worse, the vulnerability makes it possible to access a computer even without drawing the attention of its user in the event that the default security settings of the JRE are somehow disabled due to an oversight during the installation process or deliberate sabotage.

After successfully getting their malware onto the target machine, the attacker would be able to break out of the isolated sandbox in which Java runs and start looking for sensitive data. The most alarming aspect of the vulnerability is that no fix is currently available because Oracle was not given advance notice prior the publication of Security Explorations’ report. The Polish firm said that the move is part of a recent change of policy designed to pressure vendors into ensuring their security patches achieve their intended purpose and don’t leave organizations exposed to attack.

As a result, users have no choice but to try and avoid running Java applets when possible until Oracle releases an effective fix. That can be a major impediment in traditional organizations that still utilize the technology to support important business processes, but sacrificing some productivity is still better than potentially creating an opening for hackers to infiltrate the corporate network.

Image via JavadR