Java hasn’t had a good run, it’s been cited as a security risk by the Department of Homeland Security, and now Oracle’s supposed fix to remediate that risk has been found to still be vulnerable. That fix was supposed to create a mode that did not allow any unsigned Java code to run without explicitly getting permission from the user. This would be a solution to the problem of drive-by attacks on infected web pages, however that does not appear to be the case.
Instead, security researchers have found that it is quite possible to run unsigned and malicious code without prompting the user. According to an email posted on the Bugtraq mail list, a Polish security firm was able to demonstrate the process on a fully patched Windows 7 machine with a fully patched version of Java. Though it is quite easy to tell most home users that they can simply side step Java altogether, for many enterprise users this isn’t an option.
There have always been problems with dependencies on older versions of Java, but this is a pretty prominent and sustained vulnerability for a current version. Securing an enterprise where must-run tools are built in Java is getting harder, which makes Java the newest battleground between a vendor and exploit developers.
via Examiner National Edition Gadgets & Tech Channel Articles http://www.examiner.com/article/java-patch-doesn-t-close-security-holes?cid=roadrunner