Hello All,

According to Oracle's Java security head, the company has
recently made "very significant" security improvements to
Java, such as to prevent silent exploits. The problem is
that "people don't understand those features yet" [1].

Starting from Java SE 7 Update 10 released in Oct 2012, a
user may control the level of security that will be used
when running unsigned Java apps in a web browser [2][3].
Apart from being able to completely disable Java content
in the browser, the following four security levels can be
used for the configuration of unsigned Java applications:
- Low
   Most unsigned Java apps in the browser will run without
   prompting unless they request access to a specific old
   version of JRE or to protected resources on the system.
- Medium Unsigned Java apps in the browser will run without
   prompting only if the Java version is considered secure.
   User will be prompted if an unsigned app requests to run
   on an old version of Java.
- High
   User will be prompted before any unsigned Java app runs in
   the browser. If the JRE is below the security baseline,
   user will be given an option to update.
- Very High
   Unsigned (sandboxed) apps will not run.

Unfortunately, the above is only a theory. In practice, it
is possible to execute an unsigned (and malicious!) Java
code without a prompt corresponding to security settings
configured in Java Control Panel.

What we found out and what is a subject of a new security
vulnerability (Issue 53) is that unsigned Java code can be
successfully executed on a target Windows system regardless
of the four Java Control Panel settings described above.
Our Proof of Concept code that illustrates Issue 53 has been
successfully executed in the environment of latest Java SE
7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS
and with "Very High" Java Control Panel security settings.

That said, recently made security "improvements" to Java
SE 7 software don't prevent silent exploits at all. Users
that require Java content in the web browser need to rely
on a Click to Play technology implemented by several web
browser vendors in order to mitigate the risk of a silent
Java Plugin exploit.

Thank you.

Best Regards
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] Oracle's Java security head: We will 'fix Java,' communicate better
 
http://www.computerworld.com/s/article/9236230/Oracle_s_Java_security_head_We_will_fix_Java_communicate_better 

[2] Setting the Security Level of the Java Client
 
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html
[3] Understanding the new security in Java 7 Update 11 by Michael Horowitz
 
http://blogs.computerworld.com/cybercrime-and-hacking/21664/understanding-new-security-java-7-update-11