cyber-criminals are now using "fraudulent" certificates to bypass java's new security features:
»arstechnica.com/security/2013/03 ··· -attack/
By default, the widely used plugin doesn't check the status of digital certificates used to sign Java apps hosted on websites, Ars Technica has confirmed. As a result, Java presents certificates as trustworthy even when they've been reported as stolen and added to publicly available revocation databases. The failure of Java to check certificate revocation lists came to light on Tuesday when a legitimate site was found hosting a malicious app. Java presented an accompanying certificate as a trusted credential belonging to Texas-based Clearesult Consulting Inc. even though the firm had issuer GoDaddy revoke the certificate in December.
/ / / / / / / / / / / / /
The failure to vet the status of certificates dilutes a key security protection Oracle recently added to Java. Starting in January, the default security configuration was set to "high," causing a browser to seek user permission before running unsigned apps. Since Java treats apps signed by a compromised certificate as trusted, there's the possibility that end users will receive no such prompt, a shortcoming that significantly diminishes the benefit of this important new measure.
»threatpost.com/en_us/blogs/attac ··· g-030513