Newest Java update doesn't fix fresh critical vulnerabilities
Posted on 21 January 2013.
Another week, another zero-day threatening millions of Java users.

As you might remember, last week Oracle released Java 7 Update 11, which patched the zero-day vulnerability that was being misused in attacks in the wild.

This newest version also sets the default security level for Java applets and web start applications to "High," so the user is always prompted before any unsigned Java applet or Java Web Start application is run.

A little after the update was released, Adam Gowdiak, CEO of Polish firm Security Explorations had piped up to say that it left a number of critical security flaws unpatched - a claim that he reiterated on Friday on the Full Disclosure mailing list.

"We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21)," he stated, and added that while the MBeanInstantiator bug turned out to be quite inspirational for him and his researchers, they chose to concentrate their efforts on finding other flaws.

"As a result, two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today (along with a working Proof of Concept code)."

The aforementioned changed default security level for Java applets and web start applications presents a barrier for the exploits provided by Security Explorations, Gowdiak confirmed for ars technica. Still, the use of a stolen valid certificate or a good social engineering attack can be used to trick users into approving a malicious applet.

Once again, users should, for the time being, consider removing Java altogether from their computers or at least its plugins from the browsers they use.






Spotlight

Staples customers likely the latest victims of credit card breach

Posted on 21 October 2014.  |  Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Oct 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //