After announcing a fix was coming just yesterday, Oracle on Sunday released Java 7 Update 11 to address the recently disclosed security vulnerability. If you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle’s website here: Java SE 7u11.
In the release notes for this update, Oracle notes this version “contains fixes for security vulnerabilities.” A closer look at Oracle Security Alert for CVE-2013-0422 details that Update 11 fixes two vulnerabilities.
Furthermore, the fixes include a change to the default Java Security Level setting from Medium to High, meaning the user is now always prompted before any unsigned Java applet or Java Web Start application is run. This is to prevent drive-by-downloads, as Oracle explains:
This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the “High” setting the user is always warned before any unsigned application is run to prevent silent exploitation.
This is huge. Security researcher Charlie Miller put it best:
Charlie Miller@0xcharlie
Java exploit developers the world over are crying as the value of their exploits tumble now that applets are click-to-run.
14 Jan 13 ReplyRetweetFavorite
With this update, the latest Java security fiasco is over, but the larger security nightmare is far from over. Boy, what a week it has been; below is a modified summary written yesterday.
On Thursday, the US Computer Emergency Readiness Team (US-CERT), which falls under the National Cyber Security Division of the Department of Homeland Security, issued the following vulnerability note:
Overview – Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description – Java 7 Update 10 and earlier contain an unspecified remote-code-execution vulnerability. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits.
Impact – By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.
The critical security hole, which allows attackers to execute malicious software on a victim’s machine, was quickly exploited in the wild and made available in common exploit kits. Later the same day, Apple stepped in to block Java 7 on OS X 10.6 and up to protect Mac users.
On Friday, we learned the 0-day code would not have worked if Oracle had properly addressed an old vulnerability, according to Security Explorations, the security firm responsible for identifying most of the latest Java vulnerabilities. Back in late August 2012, the company informed Oracle about the insecure implementation of the Reflection API, and Oracle released a patch for it in October 2012, but the fix wasn’t a complete one.
Also on Friday, Mozilla added all recent versions of Java to its Firefox add-on blocklist. These include Java 7 Update 9, Java 7 Update 10, Java 6 Update 37, and Java 6 Update 38; older Java versions were already blocklisted due to other vulnerabilities.
Oracle on Saturday confirmed the 0-day vulnerability discovered in Java 7 that made headlines this week. Furthermore, the company told Reuters that “a fix will be available shortly,” but wouldn’t go into more detail as to when exactly that would be.
Now we know the firm was giving a 24-hour notice. With Java 7 Update 11, Mac users and Firefox users can once again use the plugin.
