The How-To Geek Forums Have Migrated to Discourse


How-To Geek Forums / Windows 7

Oracle's New Java Defenses Already Bypassed

(1 post)
  • Started 3 years ago by Straspey
  • Topic Viewed 313 times

PARTNER SPOTLIGHT

Recommended: Clean Your PC the Easy Way with CleanMyPC

If you want to clean up your PC the easy way, CleanMyPC is a great tool to get the job done easily, and it will even keep your computer clean automatically.

Unlike the competition, it also includes great tools like a Clean Uninstaller, to get rid of applications and clean up the junk that they leave behind. All with the click of a button.

Download CleanMyPC for Free Today

Posted yesterday 
Top
Straspey
Posts: 556

From H-Security:

29 January 2013

Security Explorations researcher Adam Gowdiak says Oracle's new defences for Java applets have already failed and features designed to prevent silent exploits of Java vulnerabilities are easily bypassed. Gowdiak was responding to Oracle's latest attempt to manage the security flaws that are being exposed in Java.

Oracle's Java security lead took to the phones last week to say the company needed to explain what it had done to secure Java in the wake of vulnerabilities previously discovered by Gowdiak. One of the changes was the ability to set a security level to control the execution of unsigned Java Applets to Low, Medium, High or Very High.

According to Oracle's documentation, the Low setting allowed unsigned applets to run, only prompting when a protected resource or old JRE was requested; Medium only ran applets if the version of Java was "considered secure"; High prompts before any unsigned Java applet runs; and, Very High should stop all unsigned applets running.

Gowdiak calls this "only a theory" and says that he has already developed a proof of concept applet which will successfully run on Windows systems with any of the Java applet security levels set. That includes the latest Java SE 7 Update 11 (1.7.0_11-b21) on Windows 7.

Although there are few details, Gowdiak's track record to date suggests that his bypass should hold up to scrutiny. There is no suggestion of his technique having been observed in the wild. His advice for avoiding silent exploits is to enable the "Click to Play" technology for plugins that is implemented in Chrome and Firefox.

Read the full story here:

http://www.h-online.com/securi.....93121.html

Posted 3 years ago
Top
 



Topic Closed

This topic has been closed to new replies.