The newest edition of Java sets the default security level for Java applets to “High,” so the user is always prompted before any unsigned Java applet is ran.
After the update was released, Adam Gowdiak, CEO of Polish firm Security Explorations had stated that it resulted in a number of vital security flaws unpatched.
“We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21),” he stated, and added that although the MBeanInstantiator bug proved to be rather inspirational for him and his researchers, they decided to focus their causes on finding other flaws.
“As a result, two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today (along with a working Proof of Concept code).”
The new zero-day vulnerability is already on the black market and apparently is in at least one attacker’s hands. “Code will be sold twice (it has been sold once already). It is not present in any known exploit pack including that very private version of [Blackhole] going for 10$k/month,” read the notice, referring to the Cool Exploit Kit that was created by the developers of the Blackhole crimeware kit, which rents for $10,000 per month. “I will be accepting counter-bids if you wish to outbid the competition.”
Once more, users should, for the moment, consider removing Java entirely from their computers or at least its plugins from the browsers they use.
