Vulnerability allows Java Control Panel settings to be bypassed
Yet another security vulnerability has been discovered in Java, which means that recent changes to thwart drive-by attackers against web browsers can be circumvented. The somber warning was issued by Adam Gowdiak, CEO of Security Explorations, in a Sunday mailing list post. In it, Gowdiak says his company had successfully created a proof of concept exploit that worked on Java 7 Update 11.
The problem that was discovered by Gowdiak appears to sidestep recent tweaks made by Oracle (NASDAQ: ORCL) that bolster the security of Java, including setting the security level of Java to the highest by default. The changes were made in order to prevent a computer from being compromised on the sly by a "silent exploit." Unfortunately, the newly discovered flaw allows that to happen.
Gowdiak outlined the problem in a Computerworld article. "It could be used to successfully launch unsigned Java code on a target system regardless of the security level set by the user in Java Control Panel. [The] 'High' or 'Very High' security [setting] does not matter here, the code will still run," he said.
For now, Gowdiak recommends that users rely on browsers with "click-to-play" functionality. This is a feature that requires users to click on a plug-in to explicitly authorize it to load. According to Gowdiak, this may be useful to guard against "known and not-yet-addressed Java plug-in vulnerabilities." The bug has been reported to Oracle.
- check out this article at Computerworld