After the US Department of Homeland warned users on Thursday about a Java 7 vulnerability issue affecting the Java browser plug-in, and Apple reportedly moved immediately to block on Friday, Oracle has done its job and released Java 7 Update 11 to address the security flaw.
The release notes [Via The Next Web] of this update say it “contains fixes for security vulnerabilities”, while reading the Oracle Security Alert for CVE-2013-0422, we find the update fixes two vulnerabilities: Oracle Java 7 Security Manager Bypass Vulnerability and another vulnerability affecting Java running in Web browsers.
The fixes in this Alert include a change to the default Java Security Level setting from “Medium” to “High”. With the “High” setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run.
These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system.
If you use Java, download the latest update now from the Java Control Panel or from Oracle’s website: Java SE 7u11.
Oracle has successfully put an end to the Java security fiasco, but the security nightmare is far from over.