Java made headlines last week when researchers identified a security flaw in the software that allowed hackers to remotely execute malicious code in the wild. On Sunday, Oracle announced on its software security blog that it released a new security alert to repair two problems in the application. Security Alert CVE-2013-0422, which can be downloaded here, will prevent against two vulnerabilities that were remotely executable. The company’s post confirmed that the flaws were only present in Java 7 versions and did not impact Java on servers, Java desktop applications, or embedded Java.
The other change in this latest patch is that Java’s security settings will now be set to “high” by default. The more restricted setting means that a computer owner needs to directly authorize the execution of any unsigned or self-signed applets. That means a user will be notified if a malicious site attempts to run an applet and can shut down the execution before it attacks the machine. The Java Control Panel, released in update 10 of the latest Java version, can also let users turn the software on and off from their browsers.
While the patch download will secure your computer against this new attack threat, the discovery of last week’s zero-day vulnerability has led some tech experts to renew their calls to abandon Java entirely. The zero-day vulnerability is just the latest security flaw of that type to appear in the software, which is a common part of both work and home computing for many people. Users were encouraged to disable the app until the patch appeared from Oracle, but it seems unlikely that even this new security weakness will lead to a serious drop in the program’s pervasiveness.
According to InformationWeek, Oracle is slated to release another patch on Tuesday. Be prepared for lots of upkeep this week if you are a regular Java user.
Image via Roger Price
