Security researchers have uncovered a newly discovered bug in Oracle's Java framework that allows attackers to bypass important security protections designed to prevent malware attacks.

The security improvements were introduced in Java 7 Update 10, and they came after a spate of in-the-wild attacks exploited fully patched versions of Java. Those allowed crooks to surreptitiously install malware on the computers of unsuspecting people using Java browser plugins. By default, the change required end users to manually allow the execution of Java code not digitally signed by a trusted authority. Users also had the ability to prevent any unsigned Java applet from running at all. Some security experts praised Oracle for adding the feature because it promised to drastically reduce the success of attacks that exploit security bugs in Java.

"Unfortunately, the above is only a theory," security researcher Adam Gowdiak wrote on Sunday, referring to the way the protections are supposed to block untrusted code from running on end-user computers. "In practice, it is possible to execute an unsigned (and malicious!) Java code without a prompt corresponding to security settings configured in Java Control Panel."

Oracle representatives didn't immediately respond to an e-mail seeking comment for this post. In addition to shoring up the quality of the Java code base, many security professionals have called on Oracle to communicate more quickly and effectively when it learns of new vulnerabilities in recent versions of its software.

As a result of the vulnerability, Gowdiak wrote in an e-mail posted to the Bugtraq mail list, "unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings." He said Security Explorations, the Poland-based security firm he runs, has submitted proof-of-concept attack code to Oracle. It successfully overrides the protections on a fully patched Windows 7 machine that's configured to run Java 7 Update 11 with the "very high" security setting.