"JAVA FLAW NUMBER 53
And that's where things stood until today, when I received an email from Adam Gowdiak pointing me to his latest discovery of, yet another Java bug. Ironically, the bug is with the new security improvements Mr. Smith alluded to.
As is the normal pattern, this new flaw involves running unsigned Java programs embedded in web pages.
Java 7 Update 10 introduced the new security rules for unsigned applets, and Update 11 made the default more secure. But, it turns out that the rules are not rules, they're not even suggestions. Gowdiak referred to them as theories.
What we found out and what is a subject of a new security vulnerability (Issue 53) is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings ...
Whereas I found that Internet Explorer would ignore the new security rules, Gowdiak's discovery is much broader. We approached things differently. I tested with safe Java applets, he purposely wrote a malicious one.
Via email, Gowdiak wrote that "We found a generic way to bypass the new security settings imposed by Java Control Panel that control the launch of unsigned Java code."
In other words, his malicious unsigned applet can do its dirty work in all browsers. On Windows 7, he tested the latest version of Internet Explorer 9, Firefox 18.0.1, Opera 12.12 and Google Chrome 24.0.1312.56m.
Also, since I was using safe applets, Java had to be tweaked a couple times before the rules were ignored (the end user had to first disable Java in browsers via the Java Control Panel, then later re-enable it). Not so with Gowdiak's malicious applet, which can run without warning on the "Very High" setting, even if Java has not been tweaked and even if the "Very High" setting is blocking other applets.
In the conclusion of his Full Disclosure mailing list posting, Gowdiak wrote
"... recently made security "improvements" to Java SE 7 software don't prevent silent exploits at all. Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit."
Anymore reasons one needs to uninstall if possible and disable otherwise? Atleast Firefox and *shudder* Chrome use Click to Play atleast for those of us who use Java.