Java still vulnerable to exploits: researchers
MANILA, Philippines - The story of Java's security issues are continuing today with new information pointing to Java's vulnerabilities to web hacks, enabling malware installations on end-user computers.
A number of researchers have been pointing out vulnerabilities in Java that need to be addressed, and while the information pointing to the vulnerabilities is out there, the remedies continue to be elusive. Ars Technica writes Trend Micro and Immunity Inc independently noted the patch for Java released Monday, January 14 (Philippine Time), was incomplete, only fixing one of the two vulnerabilities noted in reports. Exploit code for the unpatched hole was being sold underground to capitalize on it.
Adam Gowdiak, CEO of Security Explorations, also noted an additional issue on the FullDisclosure mailing list, saying "a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11," which is formally known as JRE version 1.7.0_11-b21.
In an email to Ars Technica, Gowdiak mentions that the exploits found by Security Explorations still need the user's approval to actually bypass the protections in place. Attackers could get past this in two ways, however: either by using a stolent valid certificate, or by tricking users into allowing approving access to the exploit.
Oracle representatives have not yet commented on the information. In the meantime, if you don't need Java in your day-to-day activities, it would be a good idea to uninstall or otherwise disable it on your computer. - Rappler.com