It’s not been a good month for Java. Security experts have issued multiple warnings about security vulnerabilities in the technology. Now, a researcher says he has discovered yet another bug—and all of Oracle’s earlier efforts to secure Java do nothing to defend against its exploit.
Brian Prince from eWeek reported, “Security researchers have uncovered yet another ding in the battered armor of Java security. This time there is a vulnerability in the latest version of Java that allows attackers to execute unsigned Java code to on a targeted Windows system regardless of the Java security control settings, according to findings from Security Explorations.”
Ars Technica’s Dan Goodin explained that “security improvements were introduced in Java 7 Update 10, and they came after a spate of in-the-wild attacks exploited fully patched versions of Java…. By default, the change required end users to manually allow the execution of Java code not digitally signed by a trusted authority. Users also had the ability to prevent any unsigned Java applet from running at all. Some security experts praised Oracle for adding the feature because it promised to drastically reduce the success of attacks that exploit security bugs in Java. ‘Unfortunately, the above is only a theory,’ security researcher Adam Gowdiak wrote on Sunday, referring to the way the protections are supposed to block untrusted code from running on end-user computers. ‘In practice, it is possible to execute an unsigned (and malicious!) Java code without a prompt corresponding to security settings configured in Java Control Panel.'”
InformationWeek’s Mathew J. Schwartz wrote, “how can users mitigate the zero-day flaw spotted by Gowdiak — which, to be clear, hasn’t been seen in any known attacks to date? Of course, users can take their chances and wait for Oracle’s fix. Alternately, they can disable in-browser Java altogether, which is the current recommendation from the Department of Homeland Security, provided Java isn’t required. If it is, security experts have recommended maintaining one Java-free browser and another browser with the Java plug-in enabled, and using the latter only to visit trusted websites that require in-browser Java.”
In other news of security vulnerabilities, Computerworld’s Lucian Constantin warned, “Tens of millions of network-enabled devices including routers, printers, media servers, IP cameras, smart TVs and more can be attacked over the Internet because of dangerous flaws in their implementation of the UPnP (Universal Plug and Play) protocol standard, security researchers from Rapid7 said Tuesday in a research paper.”