Java still unsafe for browsers

Not much to say here. Oracle issued a patch for Java 7 on Sunday (that got pushed out to clients directly and downstream from Red Hat and others over the last couple of days) but US CERT is still warning that it’s best not to enable it in your browser unless absolutely necessary.

Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe, but distinct vulnerability (CVE-2012-3174). Immunity [?] has indicated that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains. Java 7u11 sets the default Java security settings to “High” so that users will be prompted before running unsigned or self-signed Java applets.

Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.

Metasploit’s founder, H.D. Moore, is just as blunt in his assessment that, given its track record so far, Oracle is probably 2 years away from getting its Java security house in order.