Information Security News mailing list archives
Oracle's Java security update lacking, experts say
From: InfoSec News <alerts () infosecnews org>
Date: Thu, 20 Dec 2012 04:13:27 -0600 (CST)
http://www.csoonline.com/article/724327/oracle-s-java-security-update-lacking-experts-say By Antone Gonsalves CSO December 19, 2012Oracle's latest update of the Java Development Kit fails to go far enough in fixing the security-troubled platform, bringing only marginal improvements instead, experts say.
Among the improvements in Java SE Development Kit 7, Update 10 (JDK 7u10) is the ability to use the control panel to prevent Java applications from running in browsers. Vulnerabilities in Java are a major target for cybercriminals hoping to infect computers with malware.
That's because hackers know many people do not keep the Java plug-in for browsers up to date, leaving old flaws open to exploitation. This has resulted in a high success rate for attackers. In 2011, an exploit integrated into the Blackhole toolkit, a hacker favorite, had more than an 80 percent success rate, according to HP's security research division.
Other improvements in JDK 7u10 include using the control panel to choose from four levels of security for unsigned applets, Java Web Start applications and embedded JavaFX applications that run in a browser. In addition, Oracle has added a dialogue box that will warn people when the Java plug-in needs to be updated to prevent exploits.
[...] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More!http://www.shopinfosecnews.org
Current thread:
- Oracle's Java security update lacking, experts say InfoSec News (Dec 20)