[ISN] Oracle's Java security update lacking, experts say

From: InfoSec News <alerts_at_private>
Date: Thu, 20 Dec 2012 04:13:27 -0600 (CST)
http://www.csoonline.com/article/724327/oracle-s-java-security-update-lacking-experts-say

By Antone Gonsalves
CSO
December 19, 2012

Oracle's latest update of the Java Development Kit fails to go far 
enough in fixing the security-troubled platform, bringing only marginal 
improvements instead, experts say.

Among the improvements in Java SE Development Kit 7, Update 10 (JDK 
7u10) is the ability to use the control panel to prevent Java 
applications from running in browsers. Vulnerabilities in Java are a 
major target for cybercriminals hoping to infect computers with malware.

That's because hackers know many people do not keep the Java plug-in for 
browsers up to date, leaving old flaws open to exploitation. This has 
resulted in a high success rate for attackers. In 2011, an exploit 
integrated into the Blackhole toolkit, a hacker favorite, had more than 
an 80 percent success rate, according to HP's security research 
division.

Other improvements in JDK 7u10 include using the control panel to choose 
from four levels of security for unsigned applets, Java Web Start 
applications and embedded JavaFX applications that run in a browser. In 
addition, Oracle has added a dialogue box that will warn people when the 
Java plug-in needs to be updated to prevent exploits.

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org 
Received on Thu Dec 20 2012 - 02:13:27 PST

This archive was generated by hypermail 2.2.0 : Thu Dec 20 2012 - 02:15:57 PST