Oracle has issued an emergency fix for its cross-platform Java software. Java 7 update 11 for Windows, Mac and Linux, and Java 7 Update 11 64-bit for 64-bit versions of Windows and Linux, aims to plug a number of alarming security holes that were being used for phishing attacks and other crimeware.
While update 11 should be considered an essential update for all Java users, researchers have warned that the new build is little more than a sticking plaster for the problem, and recommend users actually disable Java from running inside web browsers.
Update 11 specifically acts on a Java exploit in web browsers that the US Department of Homeland Security warned is being “actively exploited” by malware. This allows code to be executed outside of Java’s sandbox, allowing keyloggers and botnet code to be distributed through the Java exploit.
The update basically sets Java’s default security settings to “High”, which means all code from unknown sources will be flagged before running on the user’s say-so.
Researchers warn that despite this new setting, the security can be bypassed by hackers able to mask their code through “social engineering”, which allows them to mask its true origins and claim to be from a trusted source, encouraging users to accept the code even though it’s been flagged.
As a result, the Department of Homeland Security’s Computer Emergency Readiness Team has recommended users should actually disable Java from running in web browsers – even after applying the latest update. The warning is echoed by other experts, including Rapid 7 and Polish company Security Explorations.
At the present time, Mac OS X disables Java browser plug-ins by default, while Firefox has implemented click-to-play protection on recent updates (but not for this newer build). Users of other web browsers and OSes should check their browser’s add-on settings and – if wishing to follow the recommended advice – disable Java manually.