Featured White Papers

• Measuring Risk to Improve Java Software Quality
• Do You Really Get Classloaders?
• Pragmatic Continuous Delivery with Jenkins, Nexus, and LiveRebel
• Your Next Java Web App: Less XML, No Long Restarts, Fewer Hassles
• Coding with JRebel, Java Forever Changed
• 2012 Developer Productivity Report: Java Tools, Tech, Devs, and Data

Sponsored Links

• Graph databases are 1000x faster than relational.

  Learn More!

• Career opportunities at Harman- Careers That'll Rock Your Socks Off.

  Learn More!

• Developer-friendly Java PDF libraries by Qoppa Software

  Live Demos

• Stop blaming your app! Diagnose Java performance issues.

  Free tool >

• UrbanCode: Go From Continuous Integration to
  Continuous Delivery

  Learn More!

Sponsored Links

Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs

New bug neutralizes latest Java security updates

New security vulnerability bypasses the Java plug-in's protection

By Gregg Keizer, Computerworld, 01/28/13

Page 2 of 2

During the call, Smith touted the security enhancements to Java 7, including the introduction of the settings in Update 10, and the change of the default from "Medium" to "High" in Update 11. "[They] effectively make it so that unsigned applets won't run without a warning," Smith said of the security settings. "Some of the things we were seeing were silent exploits, where people would click on a link in an email and unwittingly compromise a machine. But now those features really prevent that. Even if Java did have an exploit, it would be very hard to do it silently."

According to Gowdiak, that's exactly what the newest vulnerability could let attackers do. "Recently made security improvements to Java 7 don't prevent silent exploits at all," Gowdiak wrote on Bugtraq.

When asked how users who must run Java in their browser should protect themselves against possible exploits, Gowdiak repeated his earlier suggestion that people turn to a browser with click-to-play, a feature that forces users to explicitly authorize a plug-in's execution. Both Chrome and Firefox include click-to-play.

"That may help prevent automatic and silent exploitation of known and not-yet-addressed Java plug-in vulnerabilities," Gowdiak said.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.