Newest Java update doesn't fix fresh critical vulnerabilities
Posted on 21 January 2013.
Another week, another zero-day threatening millions of Java users.

As you might remember, last week Oracle released Java 7 Update 11, which patched the zero-day vulnerability that was being misused in attacks in the wild.

This newest version also sets the default security level for Java applets and web start applications to "High," so the user is always prompted before any unsigned Java applet or Java Web Start application is run.

A little after the update was released, Adam Gowdiak, CEO of Polish firm Security Explorations had piped up to say that it left a number of critical security flaws unpatched - a claim that he reiterated on Friday on the Full Disclosure mailing list.

"We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21)," he stated, and added that while the MBeanInstantiator bug turned out to be quite inspirational for him and his researchers, they chose to concentrate their efforts on finding other flaws.

"As a result, two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today (along with a working Proof of Concept code)."

The aforementioned changed default security level for Java applets and web start applications presents a barrier for the exploits provided by Security Explorations, Gowdiak confirmed for ars technica. Still, the use of a stolen valid certificate or a good social engineering attack can be used to trick users into approving a malicious applet.

Once again, users should, for the time being, consider removing Java altogether from their computers or at least its plugins from the browsers they use.






Spotlight

How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals itís our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Sep 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //