Java's new security settings, designed to block drive-by browser attacks, can be bypassed by hackers, a researcher announced Sunday. The news came in the aftermath of several embarrassing zero-day vulnerabilities, and a recent commitment by the head of Java security
that his team would fix bugs in the software.
The Java security provisions that can be circumvented were introduced last December with Java 7 Update 10 and let users decide which Java applets are allowed to run within their browsers. The most stringent of the four settings is supposed to block any applet not signed with a valid digital certificate. Other settings freely allow most unsigned applets, execute unsigned applets only if Java itself is up to date, or display a warning before unsigned applets are allowed to run.
His discovery makes moot -- in theory at least -- Oracle's latest security change. When it shipped an emergency update on Jan. 13 to quash two critical Java browser plug-in vulnerabilities, including one that was actively being exploited by cyber criminals, Oracle also automatically reset Java to the High security level. At that setting, Java notifies users before they can run unsigned applets.