Newest Java update doesn't fix fresh critical vulnerabilities
Posted on 21 January 2013.
Another week, another zero-day threatening millions of Java users.

As you might remember, last week Oracle released Java 7 Update 11, which patched the zero-day vulnerability that was being misused in attacks in the wild.

This newest version also sets the default security level for Java applets and web start applications to "High," so the user is always prompted before any unsigned Java applet or Java Web Start application is run.

A little after the update was released, Adam Gowdiak, CEO of Polish firm Security Explorations had piped up to say that it left a number of critical security flaws unpatched - a claim that he reiterated on Friday on the Full Disclosure mailing list.

"We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21)," he stated, and added that while the MBeanInstantiator bug turned out to be quite inspirational for him and his researchers, they chose to concentrate their efforts on finding other flaws.

"As a result, two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today (along with a working Proof of Concept code)."

The aforementioned changed default security level for Java applets and web start applications presents a barrier for the exploits provided by Security Explorations, Gowdiak confirmed for ars technica. Still, the use of a stolen valid certificate or a good social engineering attack can be used to trick users into approving a malicious applet.

Once again, users should, for the time being, consider removing Java altogether from their computers or at least its plugins from the browsers they use.






Spotlight

Black hole routing: Not a silver bullet for DDoS protection

As ISPs, hosting providers and online enterprises around the world continue suffering the effects of DDoS attacks, often the discussions that follow are, “What is the best way to defend our networks and our customers against an attack?”


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Mon, Mar 2nd
    COPYRIGHT 1998-2015 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //