The trouble began on January 10th when word hit that the bad guys behind the BlackHole and Nuclear Packs updated their crimeware with new exploits for a zero-day Java vulnerability affecting all versions of Java 7, including Java 7 Update 10.
Users were told to disable the Java browser plugin – or to remove Java altogether – in order to minimize the chances of an attack.
Three days later, Oracle released Java 7 Update 11 to address the vulnerability and beef up security by switching the default Security Level setting from Medium to High to prevent silent drive-by-download attacks:
This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the “High” setting the user is always warned before any unsigned application is run to prevent silent exploitation.
All is well, right? Well, not so much, since reports of Java 7 Update 11 vulnerabilities have already begun to surface.
Adam Gowdiak of Security Explorations wrote a short post on the Full Disclosure mailing list stating they have “successfully confirmed that a complete Java security bypass can be still gained under the recent version of Java 7 Update 11 [1] (JRE version 1.7.0_11-b21).” Gowdiak went on to say that two new security vulnerabilities were discovered and reported to Oracle along with a working proof-of-concept.
Fortunately, Gowdiak told TheNextWeb that there’s no evidence of these new vulnerabilities being exploited in-the-wild (YET), and that the new security settings in Java 7 Update 11 will prevent some attacks granted the user doesn’t accept the malicious content.
So think twice before allowing unsigned Java applets to run on your system. Or just remove Java from your system.
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+
No comments:
Post a Comment