It’s been quite a week for Oracle and its Java platform. Last week, the US Computer Emergency Readiness Team, part of the National Cyber Security Division of the Department of Homeland Security (don’t worry, I can’t wrap my head around all that, either), released information about severe bugs that affected Java 7 Update 10 versions and earlier. Most of the vulnerabilities revolved around the ability to exploit code on a victim’s PC, and unlike many bugs which take a while to become exploited, some of these were latched onto very quickly.
Yesterday, Oracle released a big patch for Java 7 which took care of a handful of vulnerabilities that should be installed if you happen to have Java installed. A major change made is the default permissions level for running unsigned scripts. Normally, this is set to “normal”, but now it’s set to “high”. This means that any time an unsigned script is trying to execute, you’re going to be notified of it and have to approve it. This is a bold move by Oracle, but seemingly necessary. It’s best to treat this like the User Account Control of Java – if you get a prompt for something you didn’t ask for, don’t run it.
You can grab the fix here. While it’s probably okay to feel safer with this patch installed, some are skeptical. One security researcher believes that it could take a couple of years to truly fix Java. And it’s no surprise – Java has always been victim to a large number of bugs, and it’s actually pretty surprising that this bevvy of serious bugs wasn’t unveiled a lot sooner.
It’s important to note that this affects all platforms. Linux and Mac users, you’re just as vulnerable as the Windows users this time around.