dslreports logo
    All Forums Hot Topics Gallery
Search Topic:
share rss forum feed

Built for Speed
Fort Wayne, IN
·Frontier Communi..
reply to chachazz

Re: Java SE 7 update 13 / Java SE 6 update 39

said by chachazz:

Oracle Software Security Assurance Blog
Eric P. Maurice - Director Oracle Software Security Assurance

In addition to a number of security in-depth fixes, the February 2013 Critical Patch Update for Java SE contains fixes for 50 security vulnerabilities.
Furthermore, to help mitigate the threat of malicious applets (Java exploits in internet browsers), Oracle has switched the Java security settings to high by default.

...continue reading.

I wonder how all these fixes play against the vulnerability in Java 7 update 11 revealed be security researcher Adam Gowdiak in his web posting on 27 Jan 2013, which indicated a significant vulnerability existed in Java allowing the Java Control Panel security setting to be bypassed for unsigned Java apps in a web browser. His disclosure is here: (SE-2012-01) An issue with new Java SE 7 security features...
... What we found out and what is a subject of a new security vulnerability (Issue 53) is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings described above. Our Proof of Concept code that illustrates Issue 53 has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with "Very High" Java Control Panel security settings.
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville

Hilo, HI
Gowdisk seems to think Java can be disabled in the browser. That is not true for IE.

»Re: Feds warn PC users to disable Java
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson