Newest Java update doesn't fix fresh critical vulnerabilities
Posted on 21 January 2013.
Another week, another zero-day threatening millions of Java users.

As you might remember, last week Oracle released Java 7 Update 11, which patched the zero-day vulnerability that was being misused in attacks in the wild.

This newest version also sets the default security level for Java applets and web start applications to "High," so the user is always prompted before any unsigned Java applet or Java Web Start application is run.

A little after the update was released, Adam Gowdiak, CEO of Polish firm Security Explorations had piped up to say that it left a number of critical security flaws unpatched - a claim that he reiterated on Friday on the Full Disclosure mailing list.

"We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21)," he stated, and added that while the MBeanInstantiator bug turned out to be quite inspirational for him and his researchers, they chose to concentrate their efforts on finding other flaws.

"As a result, two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today (along with a working Proof of Concept code)."

The aforementioned changed default security level for Java applets and web start applications presents a barrier for the exploits provided by Security Explorations, Gowdiak confirmed for ars technica. Still, the use of a stolen valid certificate or a good social engineering attack can be used to trick users into approving a malicious applet.

Once again, users should, for the time being, consider removing Java altogether from their computers or at least its plugins from the browsers they use.


Pen-testing drone searches for unsecured devices

You're sitting in an office, and you send a print job to the main office printer. You see or hear a drone flying outside your window. Next thing you know, the printer buzzes to life and, after spitting out your print job, it continues to work and presents you with more filled pages than you expected.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Oct 9th