Fix for critical Java hole released
Oracle has released Java 7 Update 11, which includes a fix for the critical vulnerability disclosed at the beginning of January that has already been widely exploited. The update also includes a fix for another previously undisclosed critical vulnerability. Oracle also confirmed that the flaws in question do not affect Java 6 or earlier versions of the runtime. Oracle urges users to update as soon as possible.
The security alert for CVE-2013-0422 notes in its Risk Matrix that CVE-2012-3174, another critical, remotely exploitable vulnerability, is also being fixed in the update. Little is known of the equally severe vulnerability except that its CVE number was apparently assigned in June 2011 and its discovery appears to be credited to a Brian Murphy via TippingPoint.
The Java 7 update also changes the default security policy of the Java plugin so that, from now on, unsigned applets will always generate a warning to the user before being run. This should reduce the ability of attackers to exploit Java applet support in drive-by malware attacks which rely on the plugin executing the malicious code silently. The "click-to-play" behaviour is similar to the precautions that Mozilla took with Firefox. The defensive measures Apple took, blocking the specific version of Java, will mean that when the update is installed, the Java plugin will resume operation.
Despite Oracle's speedier response closing the new holes with a reminder in the release notes to re-enable the Java plugin if disabled, the consensus amongst security experts is to leave Java disabled in the browser especially as few sites use Java. The Windows control panel for Java also allows users to easily disable the Java plugin. Instructions on how to disable Java in Chrome, Firefox and Safari are also available.
(djwm)