Oracle promised a fix for the security vulnerability in its Java software on Saturday and keeping its word, the enterprise software giant released Java 7, Update 11 to address the massive security flaw on Sunday. However, experts opined that the emergency fix fails to provide 100 percent protection from hackers.
The updated version can be downloaded from the Oracle website and the company recommends all Java 7 users update immediately to the new version to prevent potential security breaches. Oracle, in its release note, said the update includes fixes for security vulnerabilities and the Oracle Security Alert for CVE-2013-0422 explained in detail the issues the new update would fix.
Oracle upped the default Java Security Level for the software from "Medium to High". Resultantly, users will be prompted before any unsigned Java applet or Java Web Start application is run. "This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the "High" setting the user is always warned before any unsigned application is run to prevent silent exploitation," Oracle explained.
The critical security hole was first noticed by a European security researcher who blogs under the name Kafeine. The security flow that could permit an unauthenticated attacker to execute arbitrary code on targeted PCs was then widely reported. A zero-day Trojan horse called Mal/JavaJar-B was discovered to be exploiting a vulnerability in Oracle's Java 7 and it was found that it could even affect the latest version of the runtime (7u10).
Underlying the potential threat, the U.S. Department of Homeland Security's Computer Emergency Readiness Team (CERT) urged users to disable Java in their Web browsers. However, the threat remains far from over. The CERT warned that "unless it is absolutely necessary to run Java in web browsers, disable it, even after updating to 7u11".