Java 0-day bug fixed in just three (days, that is)

[nsane.forums]

Earlier this week, a security hole in the latest version of Java was being "massively exploited in the wild." Hackers were turning compromised websites into platforms for installing silent keyloggers or other malicious software. And at the time news broke, even fully patched Java installations were at risk.

Today however, KrebsOnSecurity reporter Brian Krebs is reporting Oracle finally shipped its critical security update. Java 7 Update 11 fixes this sticky situation and it's available both via Oracle’s website and through the Java Control Panel in an active program.

Krebs reports this update changes the way Java handles Web applications. From the company's advisory:

“The default security level for Java applets and Web start applications has been increased from 'Medium' to 'High.' This affects the conditions under which unsigned (sandboxed) Java Web applications can run. Previously, as long as you had the latest secure Java release installed applets and Web start applications would continue to run as always. With the 'High' setting the user is always warned before any unsigned application is run to prevent silent exploitation.”

As Krebs acknowledges, it's nice that Oracle acted so quickly in the face of such an attack. However, the rule with Java remains: if the program isn't absolutely necessary to your day-to-day, the safest route is avoiding it entirely.

View: Original Article