"What we found ... is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings," Gowdiak wrote in a message posted Sunday to the
Bugtraq mailing list.
In an email reply to questions Sunday, Gowdiak said there was a single vulnerability that makes the bypass possible. "It could be used to successfully launch unsigned Java code on a target system regardless of the security level set by the user in Java Control Panel. [The] 'High' or 'Very High' security [setting] does not matter here, the code will still run," he said.
After discovering the vulnerability and creating a proof-of-concept exploit that worked on Java 7 Update 11 -- the version released two weeks ago -- running on Windows 7, Gowdiak reported the bug to Oracle.