Researchers from Security Explorations have identified yet another vulnerability that affects Java 7 Update 11. Dubbed “Issue 53,” the security hole can be exploited to execute malicious code even if the security settings are configured to “Very High.”
With the release of Java 7 Update 10, Oracle has made some “very significant” security improvements, including a feature that allows users to control the level of security when unsigned apps are executed in a web browser.
In theory, when users set the security level to “Very High,” unsigned (sandboxed) apps cannot be executed within the web browser.
However, Security Explorations has found that these security mechanisms are not as effective as they should be.
“What we found out and what is a subject of a new security vulnerability (Issue 53) is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings,” Adam Gowdiak, CEO of Security Explorations, told Softpedia in an email.
“Our Proof of Concept code that illustrates Issue 53 has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with ‘Very High’ Java Control Panel security settings,” Gowdiak added.
“That said, recently made security ‘improvements’ to Java SE 7 software don't prevent silent exploits at all. Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit.”
This is not the only vulnerability identified by the Polish security firm in Java 7 Update 11. A few days after Oracle had released the latest update to address a zero-day flaw in Update 10, the experts identified a couple of new security holes (“Issue 51” and “Issue 52”).