Newest Java update doesn't fix fresh critical vulnerabilities
Posted on 21 January 2013.
Another week, another zero-day threatening millions of Java users.

As you might remember, last week Oracle released Java 7 Update 11, which patched the zero-day vulnerability that was being misused in attacks in the wild.

This newest version also sets the default security level for Java applets and web start applications to "High," so the user is always prompted before any unsigned Java applet or Java Web Start application is run.

A little after the update was released, Adam Gowdiak, CEO of Polish firm Security Explorations had piped up to say that it left a number of critical security flaws unpatched - a claim that he reiterated on Friday on the Full Disclosure mailing list.

"We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21)," he stated, and added that while the MBeanInstantiator bug turned out to be quite inspirational for him and his researchers, they chose to concentrate their efforts on finding other flaws.

"As a result, two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today (along with a working Proof of Concept code)."

The aforementioned changed default security level for Java applets and web start applications presents a barrier for the exploits provided by Security Explorations, Gowdiak confirmed for ars technica. Still, the use of a stolen valid certificate or a good social engineering attack can be used to trick users into approving a malicious applet.

Once again, users should, for the time being, consider removing Java altogether from their computers or at least its plugins from the browsers they use.






Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Aug 27th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //