Monday 28 January 2013

Oracle's update didn't plug the holes in Java

An update for Java 7 - which was supposed to fix the critical vulnerabilities that left machines vulnerable to remote exploits - has failed to solve the problem, leaving the door open to further attacks.

Adam Gowdiak from Security Explorations reports:

What we found out and what is a subject of a new security vulnerability (Issue 53) is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings described above. Our Proof of Concept code that illustrates Issue 53 has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with "Very High" Java Control Panel security settings.
That said, recently made security "improvements" to Java SE 7 software don't prevent silent exploits at all. Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit.